Many
social media apps and services let you sign in with Facebook. But only
one — Instagram, owned by Facebook — assumes that you're using the same
email address for both services.
And
as Mashable has learned, that has led to at least one embarrassing
situation — where a man in his late 20s unwittingly found himself with
access to the Instagram account of a high school girl.
San
Francisco resident Michael Wagner (no relation) created an Instagram
account shortly after the service launched in late 2010. He never posted
to the account, never really checked it, and ultimately forgot about
it.
When
friends encouraged Wagner to re-open his Instagram at a brunch a few
weeks ago, Wagner pulled up the app but couldn't remember his username
or password. He wasn't sure which email he had used to sign up. Instead,
he hit the "Register With Facebook" button on the login screen in hopes
of signing in automatically.
The
account opened, and Wagner, who had never posted a photo, was surprised
to find more than 100 photos posted and more than 500 followers of the
account. It didn't take long to realize he was in another user's
account.
The
account was operated by a girl who looks to be in high school. Wagner,
27, now had access to her photos, messages, and friends list.
It
appears that the girl — who has had control of the account since its
creation, according to Instagram — signed up for the service using
Wagner's email. (They share initials, so it's likely this was a typo.)
Instagram
does not require users to verify their emails when they sign up, so
it's possible she never even realized she'd used an email she didn't
control.
The
company says this issue is "rare," but won't specify how frequently
people land in another user's account. It appears that Instagram assumes
that whoever owns a Facebook account's email address must also own the
Instagram account associated with that same email.
It's a poor assumption considering the vast number of users on both services.
It's a poor assumption considering the vast number of users on both services.
What
we don't know is how many others have signed up on Instagram using the
wrong email address — accidentally or purposely — and either locked out
the rightful email owner from signing up, or worse, accidentally given
the email owner access to all of their photos and messages.
Companies
such as Twitter, Google, and even Instagram's parent, Facebook, are
offering existing users two-step authentication to ensure a password
alone won't lead to the loss of their private information. On these
services, setting up an account also requires verification of some sort.
On
Twitter, new users can create an account but can't access private
messages or alerts unless they verify their email. Facebook requires
users to verify their email before sending messages.
Instagram
encourages users to verify their emails when they sign up, but it's not
required. This makes it easier for people to sign up — but evidently it
doesn't help keep users safe.
With
the addition of private messaging to the Instagram app in December,
users don't just have their pictures to worry about — but personal notes
too.
Wagner
raised the issue with Instagram via the app's "Report A Problem" link
as soon as he discovered it. He didn't hear back from the company for
over a week, and was still able to access the account the entire time.
He
even changed the password, but it didn't boot the high school user out —
Instagram users retain access the app after a password change if they
were already using it. Since the girl was already logged into the app on
her phone, she would never even know the password had been switched.
Instagram
is now aware of the problem and working to fix things, but isn't
promising that any form of authentication will be required.
"As
part of our work to help make Instagram a safe and secure community,
our sign-up flow encourages people to confirm their email address when
they create an account. As always, registering your account with an
email address you control is an important part of keeping your accounts
safe on Instagram and other services you use."
The
company is working to build an easier alert system for users who may
find themselves in another user's account, the spokesperson says, but
that's all. Wagner, who brought the issue to Mashable and never posted
on behalf of the other user, has since been disconnected from the
account.
Mashable was unable to contact the girl posting to the account.
The
obvious fix for Instagram: requiring email verification for users who
create a new account. This might slow down the app's rate of growth a
little — but it would also ensure that another user can't access your
profile.
Posted by : Gizmeon
No comments:
Post a Comment