Instagram is a great social networking tool for keeping in touch with friends and relatives through the media of images. But is you account safe? Not as much as you want it to be, I think. An Instagram user has recently uncovered a serious flaw in the iOS version of the app. The photo-sharing app allows users over the same Wi-Fi network to hijack each other’s accounts.
A London-based programmer and hacker, Stevie Graham, has recently written about the flaw on coding hub GitHub Gist Sunday (July 27). He found out that Instagram does not use HTTPS on every one of its pages. This allowed him to exploit a small security hole.
Graham was working on a Mac OS X computer and got a friend to log into his own Instagram account using an iPhone and then join the same Wi-Fi network. Graham was then able to extract a session cookie from the Instagram iOS app by issuing a command through the network. Graham could then access the Instagram account using his Mac, without logging in. All the while his friend’s iPhone Instagram session remained active simultaneously.
Graham wrote in the Github post, “I think this attack is extremely severe, because it allows full session hijack and is easily automated…I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.”
The programmer noted in the comments to his own Github post that he had informed Facebook of the problem, but Facebook already informed him that it was already aware of the issue.
Graham has since then took to twitter and inform people that he had decided to try out his Instagram hack in the wild. He tweeted, “Holy moly. This is worse than I thought…Within 30 seconds of opening my laptop in a coffee shop, I’ve pnwd my first Instagram user… “Good job I’m a whitehat. I’m just gonna send the session cookies to FB security. This situation is a joke.”
What do you think? As always, if you would like to leave a sensible comment, then please do so in the comments section below.