It’s apparently fixed now, but for six months, any Instagram photos you had set to “private” may have been exposed to the world, thanks to a major bug. Andy Greenberg of Forbes detailed the major flaw, which was revealed by Christian Lopez back in August of last year.

Instagram

Instagram flaw detected

Lopez reportedly discovered a flaw which allowed hackers to secretly switch Instagram users’ privacy settings from private to public so they could take a peak. According to Greenberg, the company fixed that flaw as of Feb. 4, but still—it lasted for almost six months after Lopez reported it to Facebook Inc (NASDAQ:FB)’s security team.

The independent security researcher emphasized that Instagram did respond well to his information, and its parent company Facebook Inc (NASDAQ:FB) apparently paid him four figures under its bug bounty program. The social network regularly rewards researchers who uncover security flaws in its systems. However, he said he was surprised at how long it took the company to repair the problem.

How the Instagram hack worked

Greenberg reports that the hack made us of what’s called “cross-site forgery.” That technique utilizes a link which steals cookies from other sites which are stored by the user’s browser. So to hack into a user’s Instagram photos, hackers would have had to trick them into clicking on a link, like one in a phishing email or phishing message on Facebook. Users who clicked on the link and had previously logged into their Instagram from the Web at some point would unknowingly giving the hacker the ability to change their privacy settings. Mobile-only users of Instagram were not affected by this flaw.

Facebook Inc (NASDAQ:FB) reportedly pushed out an early fix for the problem just about a month after Lopez reported it. However, it did not correct the issue regarding cookies. Last month, Lopez reported that a change in the code on Instagram’s platform actually opened the bug yet again, so even those with new cookies may have fallen victim to hackers.