Developer did not receive Facebook bounty, makes public disclosure

Jul 29, 2014 22:37 GMT  ·  By

A developer in London discovered that an Instagram account could be easily hijacked, and he released to the public a proof-of concept of the method after Facebook denied him a bug bounty, saying that they were aware of the problem he described to them.

Because of Instagram's insecure communication, Stevie Graham was able to intercept traffic from the Instagram app for iOS and retrieve the session cookies, which allowed him to hijack the account for the service.

The flaw is not new and consists in the fact that Instagram does not have encrypted communication implemented for all of its parts, and API calls are made to endpoints over simple HTTP; these contain session cookies in the request headers.

Intercepting the session cookies can be done easily, with free network traffic capture tools and loading them into a web browser provides an attacker access to the Instagram account without having to authenticate.

Regular logging into the service is done over an encrypted connection, but ulterior communication with the cookies is carried out without encryption.

With access to the account, a potential attacker could initiate the same actions as if they were the owner, making modifications, adding new content or editing comments. Sending spam or directing followers to pages hosting malicious files are just some of the nefarious activities that can be perpetrated by leveraging this security flaw.

Graham made the proof-of-concept available after previously exchanging messages regarding the matter with the Facebook Bug Bounty team. He tweeted about the denial of a bug bounty and said that his next step would be to write an automated tool that enabled mass hijacking of accounts.

“I think this attack is extremely severe because it allows full session hijack and is easily automated,” he said on the page disclosing the flaw.

Graham is not the only one that made this discovery and reported it to Facebook. This week, researcher Mazin Ahmed made the same disclosure, referring to the Instagram app for Android.

After contacting Facebook, he received an answer from the security team letting him know that they were aware of the problem.

“Facebook has discussed this issue at length and plans on moving everything on the Instagram site to HTTPS. However, there is no definite date for the change. At the moment Facebook accepts the risk of parts of Instagram communicate over HTTP and not HTTPS. We consider this a known issue and are working toward a solution in the near future,” the Facebook team told him.