Security researcher Carlos Reventlov discovered a vulnerability in Instagram
version 3.1.2 on the iPhone
4 (iOS 6) that leaves users’ Instagram accounts open to attacks. Specifically, users are at risk for partial eavesdropping and man-in-the-middle attacks that a ne’er-do-well could use to delete photos or even take over a user’s account and download private photos.
Instagram’s login and profile data are sent via a secure HTTPS
connection, but other requests are sent through plain ‘ol HTTP that uses only an unencrypted cookie for authentication. If an attacker is connected to the same LAN as a given user’s iPhone, the game is on.
“An attacker on the same LAN of the victim could launch a simple arpspoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine,” wrote Reventlov. “When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, [and] once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”
Reventlov’s suggested fixes appear relatively simple to implement. He suggests using HTTPS for all API requests containing sensitive data and a body signature for unencrypted requests. He submitted his findings and a proof of concept to Instagram nearly a month ago, and according to his website, he received only an automated response. As of November 20th, the vulnerability remained unpatched.