Serious Instagram Bug Leaves Users Vulnerable to Hijacking


Be careful where you use Instagram folks, because if you’re on an open WiFi network, your Instagram account could be hijacked. How this works is pretty simple, while Instagram encrypts most of the data the app sends, it doesn’t encrypt all of it, so a hacker on the same network could sniff the data and make an attack the would allow access to your account.

Yes, this is scary and according to Computerworld, the hacker who found the bug/vulnerability informed Instagram/Facebook on November 11th, but the problem remains in the current version:

The vulnerability is in the 3.1.2 version of Instagram’s application, released on Oct. 23, for the iPhone. Reventlov found that while some sensitive activities, such as logging in and editing profile data, are encrypted when sent to Instagram, other data was sent in plain-text. He tested the two attacks on an iPhone 4 running iOS 6, where he first found the problem.

“When the victim starts the Instagram app, a plain-text cookie is sent to the Instagram server,” Reventlov wrote. “Once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”

The plain-text cookie can be intercepted using a man-in-the-middle attack as long as the hacker is on the same LAN (local area network) as the victim. Once the cookie is obtained, the hacker can delete or download photos or access the photos of another person who is friends with the victim.

All of these networks are secure

Why is this problem a real problem? Because a lot of the public WiFi hotspots we use day-to-day aren’t secure or encrypted. That means the data sent between your device and the router is free and open to the the packet sniffing world. We’ve offered security tips before, but it comes down to this. If you are connecting to a WiFi hotspot and it doesn’t have the little padlock symbol next to the name, then the connection isn’t secure or encrypted. Even if you have to agree to some terms of service or enter a code you receive from the counter, no padlock, no protection. When there is any kind of password on the network (even if it’s the weakest WEP encryption) all the data you send and receive back and forth is encrypted. Even if someone is scanning the network traffic, the data over that network isn’t much help.

Right, Starbucks? Not secure.

Here’s the part that is important. There is a difference between how an app communicates with its own servers and how your device communicates over the network. So services like Gmail and Facebook, communicate with their servers over an encrypted HTTPS connection. Which means even if you’re on an open network where the data between your device and the router is in plain text, the specific parts relating to that session are encrypted. It’s like passing sealed envelope in a public place, everyone can see you’re passing something, but they can’t see what’s in it.

Now when you’re connected to a network that uses a password (WEP or WPA/WPA2) then all the traffic you’re sending back and forth is encrypted. It’s like taking that envelope and putting it into a box and then passing it around. So people only know that you’re doing something but not any hint of what it is.

So in Instagram’s case, it’s only putting the data in an envelope sometimes but not all the time, so someone watching the traffic on the network can see the times you pass the digital equivalent of a postcard to the next person.

Hopefully Instagram fixes this soon, in the meantime don’t connect to open wireless networks and use Instagram (or use other tools like a VPN on your device to encrypt the traffic).