Instagram accidentally reveals plaintext passwords in URLs

In April, with the GDPR deadline and its requirement for data portability looming, Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments.

Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.

As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords may have shown up in plaintext in the URL of their browsers.

It seems that the problem occurred if users hit “enter” after typing their password instead of hitting the “submit” button.

That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around, or anyone with access to their browser history.

HTTPS would have ensured that the URLs were encrypted in transit, and invisible to anyone snooping on-the-wire, but the biggest concern is what happened when the “download your data” request arrived at its destination, Instagram.

Passwords are closely guarded secrets and URLs are not, and so companies handle them very differently. Passwords are typically transformed into salted hashes before being stored, so that nobody – not even admins – can see them, while URLs are routinely logged in databases or log files precisely so that administrators can see them.

It’s a bit like treating something that’s supposed to be marked “Top Secret” as merely “Restricted”.

The Information quoted an Instagram spokesperson who said that the issue was…

…discovered internally and affected a very small number of people.

Facebook didn’t say whether anybody’s Instagram account was compromised because of the error, and Naked Security has learned that Instagram is indeed in the process of deleting any passwords that may have been incidentally logged by its systems.

We’ve already seen bigger, recent problems

Bigger problems, indeed. We don’t know what Facebook/Instagram’s definition of “small” is when it comes to this breach, but we do know that security practices led to a massive breach at Facebook in September, with what would eventually turn out to be around 30 million accounts affected and another 40 million reset as a “precautionary step.”

Attackers exploited a vulnerability in Facebook’s “View As” feature to steal access tokens, which are the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app. At least in the early days following the attack, Facebook said it looked like the hole was opened when developers made a change to the video uploading feature way back in July 2017. The attackers then stole an access token for one account, and then used that account to pivot to others and steal more tokens.

Update 2018-11-21

Since publishing the article Naked Security has learned new information about the incident. We have updated the story to reflect the fact that passwords may have been written and stored in plain text log files, rather than being stored in plain text as a matter of course.