Social networks were not built with security in mind, and Instagram is no exception. Security researcher Carlos Reventlov recently discovered and published the code for a man-in-the-middle attack on the photo-sharing network. With this code a hacker could gain access to a user’s photos or the photos of the user’s friends. Despite being notified last month, Instagram has yet to patch up the vulnerability existing on version 3.1.2 of the app – which is surprisingly, given how the code to enable the hack is readily and publicly available.
For the attack to work, a hacker needs to be on the same wireless network as the victim. It’s a common medium for attacks, and you might remember was the strategy of choice for the popular and powerful Firesheep Firefox extension that could sniff out and intercept cookies sent to and from the victim’s Web browser. Mostly you’re most vulnerable in a public network like at a Starbucks or airport.
Since Instagram uses both HTTP and HTTPS, Reventlov found that plain text data was being sent through HTTP while the more secure HTTPS was reserved for the typical login information and for editing profile data. Because HTTP is vulnerable to attacks he was able to intercept unencrypted cookies, meaning the information and messages that are not encoded, sent through HTTP. The type of attack he used, according to his blog post, enabled him to exploit information sent from iPhones using an ARP (Address Resolution Protocol) Spoofing attack. This type of hack redirects traffic from the victim’s browser to the hacker’s own to gain access to their account. From there the hacker can “delete photos and download private media without the victim’s consent.”
The code in question that he published as mentioned above can intercept Instagram cookies, delete photos from the victim, and also be used to download photos from the victim’s friends. Reventlov adds, “After deletion, the Instagram app does not refresh itself, so the user does not know his photos were deleted until the next time the app does a clean start.”
Facebook, which owns Instagram, recently switched its HTTP protocols to HTTPS, and warned that it could slow down the process of displaying a page from Facebook – although few will notice much of a difference here. Reventlov says fixing this vulnerability is easy and requires Instagram to strictly use HTTPS. It’s possible Instagram is worried about impacting its infrastructure and slowing down picture loads for users. Still, security should be a higher priority, and give Facebook’s preference for HTTPS, Instagram may be forced to make the switch soon as well.