3 comments

[ 3.7 ms ] story [ 18.0 ms ] thread
Shockingly, this means they've been storing them in clear text. Just wow if that turns out to be true.
"According to Instagram, some users who used that feature had their passwords included in a URL in their web browser, and that the passwords were stored on Facebook’s servers, Instagram’s parent company. A security researcher told The Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords. "

Uh-huh.

> An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.

If that's the case, how did they extract the plaintext password from the stored password to embed in the URL?

Possible scenarios are

1. They are lying and stored plaintext passwords.

2. They do hash/salt to store the password in the db but they also use the plaintext password provided from the client side for other things as well.

3. Or they have secretly developed technology to reverse the hash/salt.

I'm feeling nice so my guess is #2. They do hash/salt in the db and use that for password matching but they also do stuff with the plaintext. It's hard to imagine #1 being true for a major tech company like FB and even harder for #3 being true.