Two unrelated researchers this week disclosed a similar session hijack bug in the Instagram mobile applications for Android and iOS. Facebook has reportedly acknowledged the problem, which arose from a failure to fully encrypt all data traffic on the service, but the world’s largest social network is in no rush to fully encrypt the mobile variety of its popular photo-sharing service.
In order to exploit this lack of encryption, an attacker would have to be on the same network as the victim. Given that, an attacker could potentially monitor the pictures users are viewing, watch session cookies, and determine usernames and IDs through man-in-the-middle attacks that lead to account takeovers.
Mazin Ahmed, an information security specialist at Defensive-Sec, reported the issue last weekend after sniffing packets passing through a router from the Instagram application on his Android device.
One day later, Steve Graham posted an iOS version of the same hack on Github. Graham’s writeup includes an exploit proof-of-concept.
Graham and Ahmed said they have reported the issue to Facebook. In each case, Facebook reportedly responded that they were aware of the problem and plan on resolving it at some undetermined point in the future.
“We’re doing the technical work that’s necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance,” an Instagram spokesperson told Threatpost via email. “We’ll keep the Instagram community updated on our progress.”
Graham claims that the Instagram application on iOS makes application programming interface calls to unencrypted endpoints.
While performing the exploit (for which the proof-of-concept can be found here) from his Mac while a friend surfed his Instagram account on an iOS device, Graham managed to perform the following actions: take the cookie sniffed from the iOS app, go to instagram.com as an unlogged in user, set document.cookie = $COOKIE, navigate to a profile, and see himself logged in as that user.
“I think this attack is extremely severe because it allows full session hijack and is easily automated,” Graham explains. “I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”
In an email interview earlier this week, Ahmed noted that he tested this on the Android Instagram application, but believed the attack could target iOS devices as well, because both rely on the same server which does not appear to uniformly enforce SSL.
Instagram co-founder Mike Krieger posted the following on Hacker News:
“We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”
