One Social Captain Bug Threatens the Security of Thousands of Instagram Users

Social Captaing Bug Exposes Instagram Passwords

For many, Instagram is a way of using trendy filters and effects to show all your friends how tasty your salad is. For others, however, Instagram is pivotal to their money-making venture, and they need to ensure that their posts reach as many people as possible. This is where services like Social Captain come in.

The marketing speak on Social Captain's website talks about using artificial intelligence to "organically" grow your Instagram influence, but you could argue that the reality is a bit more straightforward. The idea is that Social Captain helps you gain followers by interacting with various Instagram posts and pages on your behalf. You can choose your target audience, and it's up to you to pick what sort of activity Social Captain is allowed to perform through your account. Whatever your choice, however, Social Captain needs to be connected to your Instagram profile, and unfortunately, this is where things went wrong recently.

Social Captain exposed Instagram login credentials in plain text

It must be said that security-conscious users might be unimpressed with Social Captain from the very start. At the time of writing, modern browsers warn that portions of Social Captain's website aren't delivered via HTTPS, which means that not all of the information you send and receive is encrypted. In this day and age, this is frowned upon not only by the security community but also by some users. A security researcher who asked to remain anonymous recently discovered another issue that was a lot more pressing, though.

They got in touch with TechCrunch's Zack Whittaker and explained that people who had connected their Instagram accounts to the popularity boosting service could see their social network login credentials inside the source code of their Social Captain profile page. Whittaker hooked up a throwaway Instagram account to a newly created Social Captain profile and managed to confirm the findings within minutes.

To say that this is not ideal would be an understatement. It would mean that under the right circumstances (you haven't logged out of your Social Captain account, and an attacker gets access to your device), your password would be just a couple of clicks away. The bug also meant that Social Captain could actually see your Instagram password, which isn't supposed to happen. Apps that you integrate with your social media profiles usually work with the help of access tokens, and while they do get access to certain parts of your account, login credentials normally remain off-limits.

The findings were worrying, but then the anonymous researcher revealed another bug that made things a whole lot worse.

A Social Captain bug allowed the scraping of Instagram users' personal information

By design, your Social Captain profile page should only be accessible after authentication, which means that even if your credentials are stored in the page source, the chances of an in-the-wild attack are somewhat slim. The researcher discovered, however, that a flaw allows them to view the Social Captain profiles of complete strangers without guessing or compromising their passwords.

Instead, the expert simply changed the account ID in the web address. This automatically puts users' Instagram accounts at risk because their login data was stored in the page source of Social Captain's profile pages. To make matters worse, according to Whittaker, account IDs were mostly sequential, which opened up the possibility for a resource enumeration attack.

To prove this, the security researcher presented Whittaker with a spreadsheet containing the information of about 10 thousand Social Captain users. For just under half of them, the scraped data included Instagram usernames and passwords.

Fortunately, it looks like cybercriminals didn't manage to get to Social Captain's vulnerability before the security researcher. With the help of Whittaker, the expert disclosed the hole, which has now been plugged. Social Captain told TechCrunch that it's investigating the matter and will alert potentially affected users as soon as possible.

Instagram is also investigating. The photo-sharing network said that Social Captain's insecure handling of people's login credentials might be a violation of its terms of service. Although there's nothing to suggest that the bug has been exploited, all Social Captain users are advised to change their Instagram passwords just in case.

As for anyone else, this story should be yet another reminder of the potential implications of connecting social media accounts to third-party apps and services.

February 4, 2020

Leave a Reply