Insights For Success

Strategy, Innovation, Leadership and Security

Instagram on iPhone makes you vulnerable to hacking

InfoSecEdward KiledjianComment

A recently discovered vulnerability on Instagram for iPhone makes your account vulenrable to hacking. This vulnerability was discovered by Carlos Reventlov and he explains how a hacker can seize control of a victim's account.

The description he provides is:

The Instagram app communicates with the Instagram API via HTTP and HTTPs connections.

Highly sensitive activities, such as login and editing profile data, are sent through a secure channel. However, some other request are sent through plain HTTP without a signature, those request could be exploited by an attacker connected to the same LAN of the victim’s iPhone.

The only authentication method for some HTTP calls is an standard cookie that is sent without encryption when the user starts the Instagram app.

An attacker on the same LAN of the victim could launch a simple arpspoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine. When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.

The important note is that Secunia has validated the attach and released a customer advisory. There is nothing you can do as a customer to fix this issue, it has to be corrected by the manufacturer