Instagram Adroid App affected by account session Hijacking flaw

Pierluigi Paganini July 28, 2014

A security researcher disclosed a serious issue on Instagram’s Android Application which could be exploited by an attacker to impersonate a victim.

A security issue related to Instagram Mobile App for Android expose the users’ account to serious risks of data breach. A security researcher discovered that the Instagram Mobile App is affected by a Hijacking vulnerability which could be exploited by an attacker to access user’s personal data and impersonate the victim deleting his photos, editing comments and posting new images.

Instagram is an online mobile photo/video-sharing and social networking service owned by Facebook, which acquired it in 2012 for approximately US$1 billion. The researcher Mazin Ahmed explained in a blog post that communications between the Instagram’s Android App and its server is not encrypted allowing a bad actor to intercept and modify the traffic.

“Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim’s session cookies, the victim’s username and ID.”  said Mazin.

What do you think about?

You are right, what Mazin Ahmed is saying is that the Android Instagram app is affected by a session hijacking vulnerability that can be exploited to conduct a man-in-the-middle attackWhen the attacker and victims share the same wireless data traffic this kind of attacks is very easy to perform.
Instagram traffic intercepted
Mazen captured the HTTP session cookies and tried to use is from another system/browser… the discovery was disconcerting, he succeeded to hijack the session of the victim’s Instagram account.

“Then, I took the session cookies and used it in my computer, and simply “The Victim’s Session Has Been Hijacked.” he said.

Instagram traffic session token

Mazen was surprised that Facebook hasn’t fixed since now a so serious security issue, he immediately reported the flaw to the company which replied that it is aware of the security issue and it is planning to move everything on the Instagram site to HTTPS, but there is no definite date for the change.

“Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS.” replied Facebook.

It is difficult to accept that after the numerous scandals related to the Government surveillance a company like Instagram still hasn’t implemented the HTTPs for its service exposing the privacy of its users to serious risks.

Pierluigi Paganini

Security Affairs –  (Instagram, hacking)

you might also like

leave a comment