by Brent Dirks
July 28, 2014
Instagram fans beware. A GitHub user has just posted information about a substantial security flaw in the iOS app that could allow a malicious third-party to gain full access to an account on the social network. Steve Graham posted the information, saying “Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers allowing full session hijack by a malicious actor.” At GitHub, Graham lays out the complete steps to reproduce the issue, reporting he was able to perform a session hijack on his own account while someone else was browsing Instagram on his iPhone. Hackers can only hijack your Instagram account if they are on the same open or WEP-encrypted Wi-Fi access point when you’re using the app. Still, Graham believes the issue is major:
I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.In the comments section, Graham said he informed Facebook of the issue. The response he received was less than thrilling:
I adhered to the FB responsible disclosure procedure. FB replied saying they're already aware of the issue and closed the ticket.Designed for the iPhone/iPod touch, Instagram can be downloaded now on the App Store for free. Hopefully, an update will arrive soon to close the hole. But until then, it’s probably wise to avoid public Wi-Fi hotspots while using the Instagram app. For other recent news, see: It could be a long wait before Apple's iOS 8 beta 5 arrives, Hilton adds smartphone technology to properties worldwide, and Netflix to bring 'Seinfeld' to streaming video service?