A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.
“In a nutshell some API endpoints are HTTP which means I can most probably take control of your account if we’re on the same wifi,” researcher Stevie Graham tweeted July 27. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts.”
Facebook, which purchased Instagram in 2012, did not respond to a request for comment before publication. However, Instagram co-founder Mike Krieger responded to the situation on the Hacker News site by stating that Instagram has been steadily increasing its HTTPS coverage.
“For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience,” Krieger wrote. “This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”
In his description of the situation, Graham explained that Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers, which allows full session hijacking by an attacker.
The issue can be recreated by doing the following, he wrote:
- Jump on an open network or WEP encrypted wifi access point
- Put your network interface into promiscuous mode filtering on i.instagram.com:
sudo tcpdump -In -i en0 -s 2048 -A dst i.instagram.com
- Wait for someone to use the Instagram iOS app on the same network
- Extract cookie request header from the resulting output
- Use sessionid cookie parameter to make any API call as that user Even https endpoints like direct messages.
“I was able to perform a session hijack on my own account on my laptop while someone else browsed Instagram on my iPhone,” he wrote.
Graham wrote that he was also able to take the cookie sniffed from the iOS app, go to instagram.com as an unlogged in user, set document.cookie = $COOKIE and navigate to a profile and see he was logged in as that user.
“There is some screwy behaviour where ‘instagram.com/’ gets into redirect loop, I will see if I can fix that,” he wrote. “However going to ‘instagram.com/someones_profile’ works and shows me as logged in. I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”