It has been reported that Social Captain, a Instagram-boosting service, has exposed thousands of Instagram passwords. A website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.
Commenting on this, Stuart Sharp, VP of solution engineering at OneLogin:
“It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special — they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.”