If your app has a serious security vulnerability, you'd better hope that an enthusiast finds it before a malicious hacker does. An Instagram user recently unearthed a serious flaw in the iOS version, and possibly the Android version as well, of Facebook's photo-sharing app that allows users on the same Wi-Fi network to hijack each others' accounts.
London-based programmer and self-professed hacker Stevie Graham wrote about the flaw on coding hub GitHub Gist Sunday (July 27). Graham found that Instagram does not use HTTPS (a protocol that keeps Web communications secure) on every one of its pages, which allowed him to take advantage of a small but visible security hole.
Working on a Mac OS X computer, Graham got a friend to log into his own Instagram account on an iPhone and then join the same Wi-Fi network. Issuing a command through the network, Graham was able to extract a session cookie — a cookie with login information — from the Instagram iOS app.
From there, Graham could access the Instagram account on his Mac, without logging in, while his friend's iPhone Instagram session remained active as well. While Graham's permissions did not work perfectly (he encountered an infinite-redirect loop trying to access Instagram's front page), it still gave him access to most of Instagram's features.
"I think this attack is extremely severe, because it allows full session hijack and is easily automated," Graham wrote in the Github post. "I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam."
Graham noted in the comments to his own Github post that he had informed Facebook of the issue, of which the company told him it was already aware.
Earlier today (July 29), Graham tweeted that he had decided to try his Instagram hack in the wild.
"Holy moly. This is worse than I thought," he tweeted. "Within 30 seconds of opening my laptop in a coffee shop, I've pnwd [captured] my first Instagram user."
Apparently iOS devices may not be alone in being vulnerable.
"Now I have the sessions of both iOS and Android Instagram users," he wrote. "Good job I'm a whitehat [benign hacker]. I'm just gonna send the session cookies to FB [Facebook] security. This situation is a joke."
Now that Graham has written about his process in a fair amount of detail, it's possible that a malicious hacker might try to make use of this Instagram flaw. Individual users can't do much to defend themselves, save to contact Instagram, direct them to Graham's post and implore the company to up its security standards.
- Hack-Proof Drones? This Could Make It Happen
- Loudmouth Android Malware Speaks Your Secrets
- 40 Best Free Apps for iPhone