Two newsworthy vulnerabilities hit the stands this week, both of particular interest to many of our at-home users. Monday morning, an infectious Tumblr virus was found after it published offensive messages to a few high-profile blogs. On the same day, a new Instagram vulnerability was made public that could allow hackers to steal or delete photos.
With all the buzz circulating around these two security issues this week, I’d like to take a moment to run down the facts: What is the risk to users, why does it matter, and what should Tumblr and Instagram users do to protect their accounts.
Anti-Tumblr Hacktivists: An Empty Threat with Implications
For the Tumblr users affected by Monday’s outbreak, the first response was panic. GNAA, a well-known hacker group notorious for their inflammatory rhetoric, exploited a security flaw in the way Tumblr users reblog content to send a fake pop-up message to users (shown below) and publish an offensive message to affected blogs.
When users dismissed the phony pop-up, the offensive blog post was automatically published to their account. Panic set in due to a message at the end of GNAA’s post: “Attempting to delete these posts will delete your Tumblr account ;] But, by all means, go ahead!”
While this threat turned out to be empty, the visceral reaction of so many users to the potential loss of their blogs is a telling reminder of how valuable our data really is–and the importance of protecting it. Tumblr engineers have now fixed the issue, but if you were affected, a password change and deletion of the infectious post is recommended.
Instagram Vulnerabilitiy: A Hack in the Making
While the Tumblr virus has now been resolved, Instagram users with Apple devices are still vulnerable to account takeover. On Friday, a security researcher published details on an attack he found in mid-November that could allow hackers to steal and delete photos. While he notified Instagram of the problem right away, it had not been fixed as of last Tuesday, and he made the issue public.
In order for this hack to work, you and the attacker must first be logged into the same insecure connection (for example, a free Wi-Fi hotspot at a coffee shop). Using this insecure connection, a hacker can then intercept information as it travels from your computer to Instagram, using it to access your account. Thus, until this issue is resolved, we recommend that all Instagram users log in only via password-protected Wi-Fi hotspots. And as always, change your password immediately if you suspect a potential attack.
Remember: Just like the items in your home, the photos and personal stuff you keep online are extremely valuable. Bad guys are out there, but there are steps you can take to stay safe.
For more updates and news from our McAfee team, follow us on Twitter @McAfeeConsumer.