Security Experts:

Connect with us

Hi, what are you looking for?



Instagram App Exposes Users to Man-in-the-Middle Attacks: Researcher

A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.

A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.

“In a nutshell some API endpoints are HTTP which means I can most probably take control of your account if we’re on the same wifi,” researcher Stevie Graham tweeted July 27. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts.”

Facebook, which purchased Instagram in 2012, did not respond to a request for comment before publication. However, Instagram co-founder Mike Krieger responded to the situation on the Hacker News site by stating that Instagram has been steadily increasing its HTTPS coverage.

“For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience,” Krieger wrote. “This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”

In his description of the situation, Graham explained that Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers, which allows full session hijacking by an attacker.

The issue can be recreated by doing the following, he wrote:

  • Jump on an open network or WEP encrypted wifi access point
  • Put your network interface into promiscuous mode filtering on

sudo tcpdump -In -i en0 -s 2048 -A dst

  • Wait for someone to use the Instagram iOS app on the same network
  • Extract cookie request header from the resulting output
  • Use sessionid cookie parameter to make any API call as that user Even https endpoints like direct messages.

“I was able to perform a session hijack on my own account on my laptop while someone else browsed Instagram on my iPhone,” he wrote.

Graham wrote that he was also able to take the cookie sniffed from the iOS app, go to as an unlogged in user, set document.cookie = $COOKIE and navigate to a profile and see he was logged in as that user.

“There is some screwy behaviour where ‘’ gets into redirect loop, I will see if I can fix that,” he wrote. “However going to ‘’ works and shows me as logged in. I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.