The problem remains unfixed, despite the fact that the company was notified one month ago

Dec 5, 2012 10:40 GMT  ·  By

Security researcher Carlos Reventlov has identified a critical vulnerability in the iOS version of the popular photo sharing application Instagram. The bug can be leveraged by a malicious actor to hijack user accounts.

The issue has been confirmed for Instagram 3.1.2 for iOS, but other versions might also be affected.

According to the expert, a cybercriminal could launch man-in-the-middle attacks that could allow him to delete photos and download media files without the victim’s consent.

This is possible because some requests are not transmitted via HTTPS, but via plain HTTP that doesn’t contain a signature. An attacker connected to the same LAN as the victim could exploit these requests.

“An attacker on the same LAN of the victim could launch a simple arpspoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine,” Reventlov explained.

“When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”

Reventlov claimed that he notified Instagram on November 11, but since the company didn’t take any action, he decided to go public. He even made available a detailed proof-of-concept to demonstrate his findings.

As a solution to this problem, the researcher suggests the use of HTTPS connections for all the API requests that contain sensitive data, and the use of a body signature for unencrypted requests.

Industry experts highlight the fact that such vulnerabilities once again demonstrate the dangers behind the bring-your-own-device (BYOD) trend.

“Although typically thought of as the most secure BYOD smartphone, this discovery shows that iPhones filled with consumerized applications can turn any user-owned device into prey for hackers. The bottom line is that if your organization allows BYOD, any corporate information the user is accessing is at risk,” Nick Cavalancia, VP of SpectorSoft, told Softpedia.

“BYOD may have its place, but the only way to provide security for high-risk users and sensitive data in mobile environments is to issue corporate devices that can be centrally controlled and managed.”

Solutionary SERT Security Researcher Jacob Faires explains that applications are the biggest threat to security, even in a controlled BYOD environment.

“As we have seen in the Instagram vulnerability reported at the end of last week affecting iOS, increased access to more applications means more BYOD real estate can be attacked and that there are more possible holes an attacker has at his disposal for exploitation,”  Faires said.

He added, “Organizations that want to reduce BYOD related risks should limit allowed applications, which will limit possible attack vectors to devices.

“Furthermore, BYOD comes at a larger understood risk than a tightly controlled corporate owned device environment. A well secured network and encrypted traffic would not allow this specific attack to occur. Strong perimeter security and solid device policy are the building blocks of a safe BYOD environment.”