A serious security flaw in Instagrams “Download your Data” tool has accidentally leaked the passwords of some users, says the report from The Information.
To recall, Instagram rolled out a new “Download your Data” feature back in April, allowing its users to download a full copy all of their data along with what the company has collected so far. It was executed after European lawmakers rolled out its General Data Protection Regulation (GDPR).
Unfortunately, due to a bug present since then, passwords of people who submitted their credentials to use the given tool were exposed by being included in the URL of the webpage. Also, the passwords were reportedly stored on the parent company Facebook’s servers. Now it may not appear as a serious issue at first glance, but if you look closely, this would pose a potential risk to the user if in case a third person has access to his/her browsing history or if the feature was used on a public/shared computer.
Looking at the same, a spokesperson for the company said that the issue was “discovered internally and affected a very small number of people.” Furthermore, the affected ones have been informed via an e-mail and are asked to change their passwords and clear the browser history to prevent anyone from seeing the URL that included their password.
Moreover, a researcher hinted that this would have been possible only if Instagram stored passwords in plain text which is an awful practice for such a big social media giant used by millions of people. In reply, the spokesperson defended by saying that the company hashes and salts its stored passwords. As for now, the company has made the necessary changes to resolve the shortcomings.