
Instagram accidentally exposed user passwords through its data download tool - smueller1234
https://www.theverge.com/2018/11/17/18100235/instagram-security-bug-exposed-user-passwords-data-download-tool
======
unimpressive
"According to Instagram, some users who used that feature had their passwords
included in a URL in their web browser, and that the passwords were stored on
Facebook’s servers, Instagram’s parent company. A security researcher told The
Information that this would only be possible if Instagram stores its passwords
in plain text, which could be a larger and concerning security issue for the
company. An Instagram spokesperson disputed this, saying that the company
hashes and salts its stored passwords. "

Uh-huh.

~~~
liftbigweights
> An Instagram spokesperson disputed this, saying that the company hashes and
> salts its stored passwords.

If that's the case, how did they extract the plaintext password from the
stored password to embed in the URL?

Possible scenarios are

1\. They are lying and stored plaintext passwords.

2\. They do hash/salt to store the password in the db but they also use the
plaintext password provided from the client side for other things as well.

3\. Or they have secretly developed technology to reverse the hash/salt.

I'm feeling nice so my guess is #2. They do hash/salt in the db and use that
for password matching but they also do stuff with the plaintext. It's hard to
imagine #1 being true for a major tech company like FB and even harder for #3
being true.

------
smueller1234
Shockingly, this means they've been storing them in clear text. Just wow if
that turns out to be true.

