Connect with us

Hi, what are you looking for?

Tech & Science

New vulnerabilities with Uber and Instagram identified (Includes interview)

The severe vulnerabilities affecting Instagram and Uber have been reported in Forbes. The first report is about a vulnerability that would allow a threat actor to obtain Instagram users’ real names, Instagram account numbers and handles, and full phone numbers. The concern here is that exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable or attackable database of users, bypassing protections protecting that data.

This follows an earlier issue affecting Facebook, relating to a weaknesses in its data security. An online database was discovered listing the phone and account numbers for 419 million users.

Vinay Sridhara, the CTO at Balbix, told Digital Journal: “Once again, Facebook is in the news for the wrong reason. This Instagram vulnerability comes only one week after reports of Facebook users’ phone numbers being leaked via a misconfigured third-party database. However, the difference between these incidents is that the 419 million users’ phone numbers exposed were scraped before Facebook restricted access to this information in 2018, but exploiting the Instagram vulnerability would allow a threat actor to obtain access to up to date phone numbers and other pieces of information for potentially all users – in theory.”

In terms of how serious the issue is, Sridhara explains: “Armed with phone numbers, a threat actor can hijack accounts associated with that number by having password reset codes sent to the compromised phone as well as attempt to trick automated systems from victims’ banks, healthcare organizations, and other institutions with sensitive data into thinking the attacker is the victim. This is all deeply personal information that the consumers trust with the enterprises to be protected with highest responsibility.”

The second story concerns a flaw that could allow attackers to compromise and control any Uber account via an Application Programming Interface (API) request. The security researcher who found the flaw has revealed that the vulnerability could be exploited to track a user’s location, take rides from their account, obtain users’ payment information, access users’ addresses, and more. Besides Uber users, the same vulnerability impacted Uber driver accounts and Uber Eats accounts. This issue was discovered by Anand Prakash, founder of AppSecure.

Sridhara also weighs in on this issue, seeing the Uber issue as something more serious: “The reported vulnerability from Uber is worrisome as it could be exploited to reveal users’ locations, addresses, payment information and an attacker would even be allowed to request rides from an account.”

Drawing the Uber and Instagram issues together, Sridhara notes: “Both Instagram’s and Uber’s vulnerabilities show that a shortage of cybersecurity resources and skills affects all organizations. To analyze and have a continuous real-time visibility across all these vulnerabilities will mean analysis of millions if not billions of signals every second.”

As to what needs to be done, he recommends: “It is imperative that organizations leverage security tools that employ artificial intelligence, machine learning and deep learning technology to continuously observe and analyze the entire network in real time and derive insights in order to prioritize the vulnerabilities that need to be addressed in a prioritized manner.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Tech & Science

Action can still be implemented and the REN21 report demonstrates that the advantages of renewable energy.

Business

Cartier owner Richemont posted Friday a hefty drop in net profit for the first half of the year as watch sales sank in China.

Tech & Science

The device could help people with visual impairments “feel” their surroundings or give feedback to people with prosthetic limbs.

Life

This made the use of menthol tobacco products a suitable area of focus by Virginia Tech’s Fralin Biomedical Research Institute.