Instagram Adroid App affected by account session Hijacking flaw

July 28, 2014  By Pierluigi Paganini


A security researcher disclosed a serious issue on Instagram’s Android Application which could be exploited by an attacker to impersonate a victim.

A security issue related to Instagram Mobile App for Android expose the users’ account to serious risks of data breach. A security researcher discovered that the Instagram Mobile App is affected by a Hijacking vulnerability which could be exploited by an attacker to access user’s personal data and impersonate the victim deleting his photos, editing comments and posting new images.

Instagram is an online mobile photo/video-sharing and social networking service owned by Facebook, which acquired it in 2012 for approximately US$1 billion. The researcher Mazin Ahmed explained in a blog post that communications between the Instagram’s Android App and its server is not encrypted allowing a bad actor to intercept and modify the traffic.

“Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim’s session cookies, the victim’s username and ID.”  said Mazin.

What do you think about?

You are right, what Mazin Ahmed is saying is that the Android Instagram app is affected by a session hijacking vulnerability that can be exploited to conduct a man-in-the-middle attackWhen the attacker and victims share the same wireless data traffic this kind of attacks is very easy to perform.
Instagram traffic intercepted
Mazen captured the HTTP session cookies and tried to use is from another system/browser… the discovery was disconcerting, he succeeded to hijack the session of the victim’s Instagram account.

“Then, I took the session cookies and used it in my computer, and simply “The Victim’s Session Has Been Hijacked.” he said.

Instagram traffic session token

Mazen was surprised that Facebook hasn’t fixed since now a so serious security issue, he immediately reported the flaw to the company which replied that it is aware of the security issue and it is planning to move everything on the Instagram site to HTTPS, but there is no definite date for the change.

“Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS.” replied Facebook.

It is difficult to accept that after the numerous scandals related to the Government surveillance a company like Instagram still hasn’t implemented the HTTPs for its service exposing the privacy of its users to serious risks.

Pierluigi Paganini

Security Affairs –  (Instagram, hacking)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Satellite images demonstrate that Ukraine is hit by pro-Russian troops across the border

 The US Ambassador in Ukraine has released satellite images that prove Russia is firing rockets at Ukrainian troops across...