Yesterday, 9to5Mac was alerted to a flaw in a third-party utility app for Instagram, called Exposure. The app helps brands connect with Instagram posters, automating the collection of agreements to use imagery for commercial purposes.
It just so happens that Apple was using this tool for its Shot on iPhone campaign. 9to5Mac contacted Apple to report the security issue. Following an investigation, a few hours later, Apple cut ties with the Exposure service. (Update: Statement from the parent company of Exposure below)
Try Amazon Prime 30-Day Free Trial
Since being flagged, all user data is no longer accessible. Prior to that, an exploit enabled completed submissions with personal data to be publicly accessible, and retrieval of said data was trivial.
So what happened? Essentially, Exposure is an automation tool that companies like Apple can use to speed up the collection of photo licensing. When an Apple employee finds an image they like, they use the Exposure app to send the Instagram account a message with a link to a form to fill out. The form lets the user provide contact information and details of any copyright associated with the photo.
A flaw in the system allowed personal data provided by Apple to be accessed by anyone.
In testing the exploit, 9to5Mac was able to find the user accounts of Instagram members who had been shortlisted by Apple for its Shot on iPhone contest. In addition to the knowledge that the user was in the running for a possible feature in a future Apple campaign, it also revealed the account’s email address and other metadata about the submission.
An example of a Shot on iPhone form that 9to5Mac was able to access. Private user data has been redacted.
Whilst this a relatively minor data breach in the scheme of things, a nefarious hacker would have had enough information to spring a pretty convincing phishing attack with this data.
As the users behind the accounts would be excited to help further their submission, and have already had legitimate communication from the company on this matter, one could argue that those short listed make for especially vulnerable targets.
Someone could have posed as Apple in a spoofed email and requested more information like a link to a fake Apple ID login form, for instance, thereby stealing passwords and taking over the person’s account.
To be clear, there is no evidence that anything like this has happened however.
Sources indicate that the bug with the Exposure software arose due to a change in the Facebook Graph API, a change that occurred around December. Exposure is currently working on an app-level fix. We have reached out to Ignite, the company behind the Exposure tool, who provided the following statement.
Ignite Chute Solutions, Inc. (“Chute”) is the company which owns and operates the Chute solution for User Generated Content (UGC) rights management, a tool used by Apple in their “ShotoniPhone” campaign to help review and secure usage rights for images that people post to Apple for consideration.
At 10:29 a.m. ET on February 13, 2019, Chute became aware that individuals who made it through the full submission and rights approval process may have had information potentially exposed to others. This potential issue was limited to a small fraction of all such users who have posted their images to Apple for consideration. After immediately investigating the issue, Chute shut down the relevant part of the application at 11:32 a.m. ET on February 13, 2019, containing the issue. The problem identified was in the Chute solution and is not part of any of Apple’s software or systems.
At this time, we do not have any reason to believe that all potentially affected individuals actually had their information exposed nor do we have any reason to believe that this issue has impacted any other individuals who may have participated in similar campaigns with other Chute customers.
We continue to diligently investigate the root cause in order to put in place measures to ensure such an issue does not occur again. We take the success of our customers very seriously and remain fully committed to Apple and any of its loyal fans who may have been affected.
Apple has disassociated itself with the third-party contractor, and any data relating to Shot on iPhone submissions is no longer accessible. It is not clear if the company will partner with the company again in the future.
(The administration of the February Shot on iPhone contest is otherwise unaffected by these findings. Users had already been contacted before Apple disconnected from Exposure, as the last date for submissions was February 7.)
Thanks to John Zammit for bringing this issue to our attention.