A pretty serious Instagram security flaw has made the news this week, following on from a similarly worrying vulnerability found in WhatsApp earlier this month. Both have already been fixed, but paint a concerning picture for anyone registered to either service. (Read: pretty much everyone).
Source code on Instagram’s website was at fault in this first case – that is to say, the app itself was not to blame – but it left private user data potentially exposed. It’s unclear whether anyone took advantage of the flaw, but thousands of users’ personal contact details were open to attack for several months before the code was patched back in March.
Meanwhile, the bug in WhatsApp’s iOS and Android apps opened up those devices to attack via spyware. This particular vulnerability isn’t one that just anyone could take advantage of, but its something that would let a committed and extremely talented hacker potentially access files on the device. Again, we don’t know for sure how many users were affected but it seems as though the flaw was primarily used to target specific individuals and not the general public.
WhatsApp has since been updated to address the flaw, so make sure to check for updates in the App Store to ensure you’re protected.
It’s also worth noting that although some have tried to use this failure by WhatsApp to call into question the effectiveness of end-to-end encryption – Bloomberg even going so far as to (laughably) call the very concept a pointless gimmick – we should still be thankful to all the services that use it. iMessage uses end-to-end encryption, as does WhatsApp, and Signal. In this case, WhatsApp’s mistake left one of the ends open to attack – the encryption in the middle had nothing to do with it.
Saying end-to-end encryption is pointless because rare attacks like these can still happen is like saying there’s no point installing locks and security alarms on your house because talented criminals might still be able to break in some other way.
After a horrendous year in the media spotlight last year, Facebook must be pretty pleased some other companies are making the news for security mistakes. Except – wait, oh yeah, both Instagram and WhatsApp are owned by Facebook. Whoops!