Yesterday, 9to5Mac was alerted to a flaw in a third-party utility app for Instagram, called Exposure. The app helps brands connect with Instagram posters, automating the collection of agreements to use imagery for commercial purposes.
It just so happens that Apple was using this tool for its Shot on iPhone campaign. 9to5Mac contacted Apple to report the security issue. Following an investigation, a few hours later, Apple cut ties with the Exposure service.
Since being flagged, all user data is no longer accessible. Prior to that, an exploit enabled completed submissions with personal data to be publicly accessible, and retrieval of said data was trivial.
So what happened? Essentially, Exposure is an automation tool that companies like Apple can use to speed up the collection of photo licensing. When an Apple employee finds an image they like, they use the Exposure app to send the Instagram account a message with a link to a form to fill out. The form lets the user provide contact information and details of any copyright associated with the photo.
A flaw in the system allowed personal data provided by Apple to be accessed by anyone.
In testing the exploit, 9to5Mac was able to find the user accounts of Instagram members who had been shortlisted by Apple for its Shot on iPhone contest. In addition to the knowledge that the user was in the running for a possible feature in a future Apple ad campaign, the account’s email address and other metadata about the submission.
Whilst this a relatively minor data breach in the scheme of things, a nefarious hacker would have had enough information to spring a pretty convincing phishing attack with this data.
As the users behind the accounts would be excited to help further their submission, and have already had legitimate communication from the company on this matter, one could argue that those short listed make for especially vulnerable targets.
Someone could have posed as Apple in a spoofed email and requested more information like a link to a fake Apple ID login form, for instance, thereby stealing passwords and taking over the person’s account.
To be clear, there is no evidence that anything like this has happened however.
Sources indicate that the bug with the Exposure software arose due to a change in the Facebook Graph API, a chance that occured around December. Exposure are currently working on an app-level fix. We have reached out to Ignite, the company behind the Exposure tool, for a statement and will update if we hear back.
Apple has disassociated itself with the third-party contractor, and any data relating to Shot on iPhone submissions is no longer accessible. It is not clear if the company will partner with the company again in the future.
(The administration of the February Shot on iPhone contest is otherwise unaffected by these findings. Users had already been contacted before Apple disconnected from Exposure, as the last date for submissions was February 7.)