14 DAY TRIAL // The Android version of Facebook’s photo sharing app Instagram has been found to exchange information with the server in plain text, offering an attacker the possibility to hijack the account of a user.
Security researcher Mazin Ahmed discovered the issue and disclosed it privately to Facebook. The company responded the same day, acknowledging the problem and informing that they were aware of it, working towards implementing a solution in the future.
Ahmed discovered the insecure communication when he pen-tested the Instagram Android app. He started with monitoring traffic exchanged between the client and the server using the publicly available, open-source network analyzer Wireshark.
Immediately after logging into his Instagram account, he says that all the information was flowing unencrypted, through HTTP. The network analyzer allowed him to see the photos that were accessed through the monitored account, the session cookies, as well as the username and ID.
By simply using the session cookies on a computer, he was able to control the account and make modifications, such as adding new content or editing comments.
The full response from Facebook’s security team was as follows:
“Facebook has discussed this issue at length and plans on moving everything on the Instagram site to HTTPS. However, there is no definite date for the change. At the moment Facebook accepts the risk of parts of Instagram communicate over HTTP and not HTTPS. We consider this a known issue and are working toward a solution in the near future.”
In a post towards the end of March, 2014, Instagram boasted more than 200 million active users on a monthly basis, 50 million having signed up in the previous six months. At that time, over 20 billion images had been shared through the service.
According to data on Google Play, Instagram for Android has been installed between 100 and 500 million times. This does not reflect the actual number of users that have it on their devices, but it does hint at the popularity of the app.
Many celebrities use the service to share their images with millions of users as part of social media marketing activities.
Keeping the communication of the service unencrypted is a huge risk to the entire community, as cybercriminals can easily devise methods to intercept the traffic from devices, turning innocent users who enjoy the service into victims by taking over their accounts.
Free WiFi points are the perfect opportunity for cybercriminals to intercept communication and access data that is exchanged in the clear. Routing the traffic through a VPN is a good way to prevent data leakage, but not all users can do it all the time.