The severe vulnerabilities affecting Instagram and Uber have been reported in Forbes. The first report is about a vulnerability that would allow a threat actor to obtain Instagram users’ real names, Instagram account numbers and handles, and full phone numbers. The concern here is that exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable or attackable database of users, bypassing protections protecting that data.
This follows an earlier issue affecting Facebook, relating to a weaknesses in its data security. An online database was discovered listing the phone and account numbers for 419 million users.
Vinay Sridhara, the CTO at Balbix, told Digital Journal: “Once again, Facebook is in the news for the wrong reason. This Instagram vulnerability comes only one week after reports of Facebook users’ phone numbers being leaked via a misconfigured third-party database. However, the difference between these incidents is that the 419 million users’ phone numbers exposed were scraped before Facebook restricted access to this information in 2018, but exploiting the Instagram vulnerability would allow a threat actor to obtain access to up to date phone numbers and other pieces of information for potentially all users – in theory.”
In terms of how serious the issue is, Sridhara explains: “Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim. This is all deeply personal information that the consumers trust with the enterprises to be protected with highest responsibility.”
The second story concerns a flaw that could allow attackers to compromise and control any Uber account via an Application Programming Interface (API) request. The security researcher who found the flaw has revealed that the vulnerability could be exploited to track a user’s location, take rides from their account, obtain users’ payment information, access users’ addresses, and more. Besides Uber users, the same vulnerability impacted Uber driver accounts and Uber Eats accounts. This issue was discovered by Anand Prakash, founder of AppSecure.
Sridhara also weighs in on this issue, seeing the Uber issue as something more serious: “The reported vulnerability from Uber is worrisome as it could be exploited to reveal users’ locations, addresses, payment information and an attacker would even be allowed to request rides from an account.”
Drawing the Uber and Instagram issues together, Sridhara notes: “Both Instagram’s and Uber’s vulnerabilities show that a shortage of cybersecurity resources and skills affects all organizations. To analyze and have a continuous real-time visibility across all these vulnerabilities will mean analysis of millions if not billions of signals every second.”
As to what needs to be done, he recommends: “It is imperative that organizations leverage security tools that employ artificial intelligence, machine learning and deep learning technology to continuously observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be addressed in a prioritized manner.”
