A mistake Instagram exposes the user's password in the URL, somehow found out that the password was also stored on Facebook

It became clear that Instagram has made a misdirected mistake of displaying the user's password in plaintext in the URL, and that the user's password was ready for a third party.

New Instagram Bug Raises Security Questions - The Information

Instagram Accidentally Exposed Some Users' Passwords In Plaintext

The problem bug occurred in "Download Your Data" which Instagram downloaded in April 2018, users can download data of images and movies they shared on Instagram themselves. This feature, which appeared on the occasion of the abuse problem of user data of Facebook which is the parent company of Instagram, made it possible to download the user's own data which could not be downloaded until then.

When downloading data with that Download Your Data, the URL of the data downloading exclusive page is sent and the password set by the user is requested. However, some users had a state that "plaintext password" was included in the URL of the data downloading page, and that the user's password could be viewed by a third party.

Instagram has solved the problem that the password is displayed on the URL, but for users affected by the password disclosure, we notify you to change the password as soon as possible and recommend deleting the browser history I will. In addition, it seems that users not receiving notification from Instagram are not influenced by this bug.

In addition, as a result of an internal survey on a bug where a password is displayed on the URL, "bugs" that a user's password is also stored on the server of Facebook, which is the parent company of Instagram, are also found. Even though it is a parent company, there seems to be a problem in the handling that passwords are shared by servers of different services, but According to Instagram, all user passwords on Facebook server are deleted.

in Web Service,   Security, Posted by darkhorse_log