The startup that helped Instagram users gain popularity have unintentionally ditched their security, the service Social Captain inadvertently exposed users’ Instagram account passwords.

Social Captain Bugs Exposed Data

Recently, TechCrunch revealed details of a cybersecurity issue affecting Instagram users. Specifically, they disclosed bugs in the service Social Captain that put thousands of Instagram accounts at risk. In brief, a researcher, whom they haven’t named, found that Social Captain stored Instagram users’ accounts in plain text. Anyone, after logging in to the app, could see their username and password in plain text when viewing the source code of their Social Captain profile page. While this already posed a threat, things worsened further when the bug exposed users’ passwords to others. Specifically, anyone logged in to the service could simply view others’ passwords as well by simply replacing the unique account ID on the URL. This unique account ID was a sequential one, so anyone making sequential changes to one’s own ID could view others’ account credentials. The researcher could scrape around 10,000 accounts. The scraped datasheet shared with TechCrunch also had information about the free or premium subscription of the user accounts. In the case of premium accounts, the data also included billing details.

Investigations Underway

Following this discovery, TechCrunch contacted Social Captain regarding the bug, who confirmed its existence. Besides, they also fixed the vulnerability by preventing access to other users’ profiles. Regarding how the bug appeared, Anthony Rogers, CEO Social Captain, said,

Early analysis indicates that the issue was introduced during the past weeks when the endpoint, meant to facilitate integration with a third-party email service, has been temporarily made accessible without token-based authentication.

TechCrunch could confirm that their web page source code still shows the account information. For now, the service is investigating the matter, after which, according to Rogers, they will inform users.

As soon as we finalize the internal investigation, we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.