Released on October 6th, 2010, Instagram has reached a new level of popularity with today’s generation. Keeping in mind all the hullabaloo about Instagram’s new logo, which resembles templates available on Microsoft Powerpoint, the social networking service has always been in news owing to regular, hourly updates from its user base which includes numerous celebrities. The mobile photo and video sharing platform has turned into a source of entertainment, stalking, fun and much more for Generation Y. The craze for followers and likes on Instagram has taken over the day to day interests of its users. As the app started getting popular, its users stated hunting for followers and likes, alike. This resulted in an increasing number of websites providing their services catering to these needs for the people. Some started doing this by introducing fake accounts, others by tapping loopholes in the Instagram basic code. Did they hack Instagram this way? That question can only be answered by competent authorities of the Cyber Cell. The trend of increasing likes and followers soon started being used a popularity meter for Instagram users. While users were able to boast about their profiles, this took an ugly turn in many cases. Instagram accounts with huge number of followers soon started getting hacked by professionals, who would use means like poaching, password tracking and numerous such means to trap their victims. Recently in the month of June in 2016, there was an uproar about an Ugly List doing rounds on Instagram. – One of the latest attempts to hack Instagram accounts. The Ugly List is allegedly a list of the ugliest people on Instagram. Instagram users found out that their closest friends were the ones tagging them to this list. What was this Ugly List all about? It starts with the user receiving a notification that he/she has been tagged in the Instagram Ugly List 2016. This notification might come from a stranger or even a close friend. Out of curiosity, the user clicks on the link mentioned in the notification, either to check out the other people on the list or to find out the reason for them being tagged there in the first place. This move on clicking on the link is what the ones who hack Instagram need the most. Once the user has clicked on the link, the person who created the Instagram Ugly List 2016 is able to hack the Instagram account of the user and gain access to all his/her photos, videos and activity log. Now, the hacker uses this newly hacked profile as a source to tag all contacts to the Instagram Ugly List 2016. This cycle keeps repeating itself as many times as a user clicks on the infected link. Many times, hackers hack Instagram accounts with the password of other social networking sites that they have of friends or acquaintances. Recently, Mark Zuckerberg fell prey to such an initiative by a hacking group- - OurMine, who used his compromised LinkedIn password to hack his Twitter and Pinterest accounts. Interestingly, his password was a simple – “dadada”. Numerous celebrities including the likes of Taylor Swift and Maine Mendoza, have been victims of hacked Instagram profiles. This has been due to the repetition of passwords or some phising scheme. Thereby, it is suggested that to be safe from Instagram hacks, one needs to keep a strong password for each of his/her social networking accounts and stay aloof of scam links. Recently, a Belgian bug bounty hunter, Arne Swinnen, has found two big vulnerabilities in the Instagram app, which shall enable any hacker to access millions of accounts on Instagram, providing them with easy means to hack Instagram. These vulnerabilities are due to Instagram’s policy of using incremental user IDs and weak password protecting policies. Hackers can use brute force attack on any Instagram account because of improper security implementations; all of this via Instagram’s Android Authentication API URL. He says that for the first 1000 failed login attempts on the app’s Mobile Login API, the code returns – “Password you entered is incorrect.” For the next 1000 failed attempts, the code returns “Username not found”. Even after 2000 failed attempts, the app started giving unreliable responses like “Username not found”. Having tested his theory with over 10,001 password attempts at a single Instagram account, he realised that to hack Instagram, a coder simply needs to create a code which mounts a reliable brute force attack and replays the incorrect responses until a reliable was obtained. Another vulnerability, identified by Swinnen himself, was that a hacker could hack Instagram by applying a brute force method against the Instagram Web Registration Endpoint, which weirdly, does not trigger an account lockout or any other security measure. Swinnen did this by registering a test account on Instagram and recorded the HTTP request for the same. Later, he replayed the same request after removing the Username and Password. In return he got a message which read – “Those credentials belong to active Instagram account.” Owing to the loophole that there was no rate limitation activated on the app page, he was able to do this for over 10,000 times before sending the correct responses to the app and receiving an affirmation from the page. Numerous such vulnerabilities lie in the codes which build the pages of social networking sites, Instagram being one of the most vulnerable of all. While reporting of such loopholes results in bounties for the researchers who locate these, most of the time it is the daily user who stands to lose out on his/her privacy. Hackers hack Instagram accounts for personal information, privately shared photographs and videos, which run the risk of being misused or circulated for all the wrong reasons. This causes major embarrassment for the users, some of whom are not able to handle all the humiliation that results from this. Instagram has started rectifying its flaws as a rescue operation and soon enough, hacking Instagram, hopefully, will be a tough nut to crack even for professional hackers.
