Instagram’s Lax Privacy Practices Let A Trusted Partner Track Millions Of Users’ Physical Locations

It has been revealed that Instagram’s lax privacy practices let trusted partner Hyp3r track millions of users’ physical locations, secretly save their stories, and flout its rules. Hyp3r used four key tools to scrape data from Instagram users. First, it utilized an Instagram security hole that allowed it to “zero in on specific locations” and collect all the posts made from those locations. Second, Hyp3r “systematically saved users’ public Instagram stories,” again utilizing that location data. Third, it “scraped public user profiles on a broad basis, collecting information like user bios and followers, which it then combined with the other location information.” Lastly, Hyp3r used image recognition software on user posts to analyze that the images included.

Full Story Here: https://9to5mac.com/2019/08/07/instagram-ad-partner-hyp3r/


EXPERTS COMMENTS
Patrick Hunter, Sales Engineering Director, EMEA,  One Identity
August 12, 2019
Lax security around access in one of the most commonly used backdoors to allow hackers in.
There are several things on the table here, and they are not really cyber security related. Firstly, there is the ethical side to the scraping of data from Instagram. Remember, this was perfectly allowed by Instagram until Facebook (the owner) fell afoul of the Cambridge fiasco. Instagram has changed its rules, but is that enough? The data was still being collected because Instagram did not und ....
[Read More >>]
Eoin Keary, CEO and Cofounder,  Edgescan
August 12, 2019
he majority of social media apps and networks leverage individuals’ data as a commodity.
This could be a violation of GDPR if there is EU citizens data being collected using the app. Harvesting of EU citizens’ data without permission is a violation of the directive, and we are starting to see organisations being fined significant amounts of money for ignoring privacy rights and not making the necessary steps to protect their users’ personal information. People also need to under ....
[Read More >>]
Stuart Sharp, VP of Solution Engineering,  OneLogin
August 09, 2019
Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental.
Whilst a new attack vector is an interesting warning to all organisations - and an illustration of the ingenuity of man - for many organisations this is just another issue they need to worry about. Attacks like these are particularly concerning as they are so difficult to detect and can prove to be detrimental if executed successfully. These attacks are certainly viable as they require low powered ....
[Read More >>]
Gavin Millard , VP of intelligence ,  Tenable
August 09, 2019
It’s a reminder of the risks rogue assets and other unexpected devices on the network poses.
This attack method isn’t new and has been leveraged by pen testers for many years, and not just warshipping but also ‘leave behind.’ It’s a reminder of the risks rogue assets and other unexpected devices on the network poses. "Having robust authentication methods on WiFi connections as well as an effective network access control solution will mitigate attack methods like warshipping, bu ....
[Read More >>]
Felix Rosbach, Product Manager,  comforte AG
August 09, 2019
Data might also be stitched together and/or used in an inappropriate way by simply allowing third parties to access it.
Even if scraping publicly available data seems unlikely to be illegal under US law, there is still a risk that people are losing trust. Any organization processing consumer data should be very careful when sharing that data with third parties or making it publicly available. Sensitive data, even data sets that don’t seem to be identifiable information at first sight, always needs to be protected ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article