How anyone can hack your Instagram account

Filed Under: Cryptography, Facebook, Featured, Privacy, Social networks

Stevie Graham, a security researcher who reported an authentication flaw in Instagram's iOS software a few days ago, was denied a bug bounty by Facebook.

Presumably, that's because the flaw isn't new, rather than because it isn't serious. (Indeed, we first wrote about this problem in 2012.)

So Graham has gone public with instructions on how to hack other people's Instagram accounts.

All you need is shared Wi-Fi, a packet sniffer, and the willingness to break the law to violate someone's privacy.

Simply put, the attack is just Firesheep all over again.

Remember Firesheep?

Social networking security, 2010-style

Back in 2010, social networks like Twitter and Facebook handled session authentication like this:

  1. Accept a connection using HTTPS (secure HTTP), and let the user enter his username and password over an encrypted connection, to stop criminals from sniffing the credentials.
  2. Send back a unique "session cookie", valid until logout, with a one-time cryptographic code that proves the user has already logged in correctly.
  3. Subsequently accept that cookie over insecure (HTTP) connections.

So you couldn't sniff the user's password for next time, but you could sniff his session cookie and hijack his current Twitter or Facebook session in real time.

Enter Firesheep

Firesheep was a Firefox plugin that automated the process of waiting for users to login and then stealing their session cookies.

That made it a point-and-click exercise to take over their accounts, at least until they realised what was going on and logged out.

The ostensible motivation for Firesheep, even though it was ripe for abuse, was to create a public kerfuffle big enough to push services like Twitter and Facebook to use HTTPS all the time.

And that is exactly what Facebook, Twitter and and others did, because it solved the problem: no unencrypted session cookie to sniff meant no session to hijack.

2010 revisited

Fast forward nearly four years, and it looks as though the Instagram iOS app works in almost exactly the same way as explained in the 1-2-3 list above.

In short, it allows HTTP connections after the initial login.

So Instagram users with iPhones and iPads can be hijacked with ease, or so Stevie Graham claims.

So easily, in fact, that he gives five simple steps to do it:

Ouch.

What next?

We have just three words of advice: don't do this.

(At least, don't do it to someone else's account, unless they explicitly give you permission.)

It's definitely not nice, and it's almost certainly not legal, wherever you may live.

But if it really is as easy as Graham says, let's hope Facebook gets onto it pretty quickly.

In the meantime, you probably want to give up logging into Instagram from your iPhone or iPad.

And then we can worry about how to create a public kerfuffle big enough to raise the bar for the security of mobile apps in general, because we seem to keep writing about how they are lagging behind...

TAKE OUR POLL

(If you would like to explain your reasoning, please leave a comment below. You may remain anonymous.)

, , , , , , ,

You might like

16 Responses to How anyone can hack your Instagram account

  1. Anonymous · 53 days ago

    My reasons for voting No on this one (though I wouldn't vote No on all such cases): 1. It really isn't that groundbreaking an attack. Everyone already knows about unencrypted session cookies. 2. In any other field, the words "Pay me or I'll tell everyone your secret" is called "Extortion." The threat to go public is to encourage security problems to be fixed, not for personal gain.

    • Paul Ducklin · 53 days ago

      It sounds to me as though his motivation for going quite so public was some combination of pride (how dare you ignore me) and concern (this really is serious, guys, don't ignore me), not spite over missing out on a financial reward.

      I agree, however, that his tweet is a bad look. It does reek of "I'll show you!" rather than "Let's do something about this." Which is a pity.

      • Lydia Morris · 52 days ago

        I assumed his reasoning to be more along the lines of "Now that the method of attack is public knowledge, you'll have to fix the problem".

        Who knows. I hope it works either way.

  2. LonerVamp · 52 days ago

    I usually tend to fall on the side of full disclosure than responsible disclosure, so I'm fine with what he's doing. Sure, he might come off as a dbag, but the result is a result I'd like. Exposure, discussion, fixes, improvement.

    This is an "old" weakness. It hasn't even yet been fixed. Maybe now it will.

  3. Magyver · 52 days ago

    G'day mate! Paul, you have a shiny software tool I lust after. The images in this article have 'torn, shadowed edges' similar to a website tool I used called "Curate This". (but it's used for another reason)

    Aesthetically the tool you use is superior to my process of cropping tweets out of a screenshot to 'paste' in at a website of mine without tweet embedding capability.

    Might I beg you to disclose where to get the tool you used? While I hate being a bludger, I'd also hate to have to swim across the pond to bail you up, or sic the dingos on you.

    • Paul Ducklin · 52 days ago

      I mostly use GIMP and Keynote on OS X. (Both are free, as it happens. At least, Keynote is free if you have OS X. And OS X is free, if you have a Mac :-) The faux rough edges are one of Keynote's so-called "picture frame" borders.

      • Mang · 45 days ago

        So Keynote is sold at an extortionate, over-inflated price then ;)

  4. Anonymous · 52 days ago

    I don't understand your advice of not logging into Instagram on an iOS device. Surely just not logging on in a shared WiFi hotspot is enough. If you are using 4G, home or corporate encrypted WiFi you are fine, right?

    • Paul Ducklin · 52 days ago

      Hmmm. I wouldn't say you are "fine." I'd say it is much less likely someone might sniff your session cookie, but the iOS app is still sending data that ought to be encrypted over an unencrypted connection. That's wrong in any language, on any network.

      So my advice stands. I wouldn't use the Instagram app on iOS at all until it's fixed. Session cookies for social networking accounts shouldn't be in unencrypted connections, full stop.

      Your risk is very probably lower on your corporate network that at a coffee shop, if you really can't give up Instagram for the time being.

      But I'm not going to say that because there's probably a lower risk, its' definitely OK. (After all, I know nothing about the security of your corporate network :-)

      (When Twitter and Facebook switched to HTTPS as a result of Firesheep, they didn't do it only for Wi-Fi connections.

      • Mike Price · 50 days ago

        I assume that if you were on a public wi-fi perusing your instagram acct on iOS, but connected to a VPN, you'd be safe and sound.

        I think the "real" advice should be - Get a VPN if you are going to be on a public wi-fi.

        ....but also agree with Paul, that the app shouldn't be doing that!!!

        • Paul Ducklin · 50 days ago

          You can get a free VPN (along with all the other security features in our UTM, including spam and web filtering, free anti-virus for Windows managed from the UTM, firewall, network intrusion detection, and more) here:

          http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

          A VPN forces all your traffic back to your home network over an encrypted connection and only then lets it emerge onto the internet back out through your home firewall and router (or UTM :-)

          So free Wi-Fi hookups don't end up less secure that what you are used to at home.

  5. Jenny homum · 52 days ago

    I never use instagram and I think it's safe to use Apple's iPhone even if some keyloggers like iKeyMonitor exists. The simple trick is "DO NOT JAILBREAK". Hackers crack into iPhones when they are jailbroken and didn't change the root password. The default root password opens a door to hackers, when the device is not jailbroken, the door closed.

  6. Mike Price · 50 days ago

    I voted Yes because I am assuming that the bounty denial was interpreted (probably accurately) as a "we know, but are busy doing other things....we'll get to that later" sort of thing. Sometimes companies need an extra "push" to escalate issues. This definitely serves to that end...but I agree with others, there is definitely a lot of pride in the divulgence as well....but how many software devs (self included) don't think they are "all that"?

    • Paul Ducklin · 50 days ago

      I reckon my own explanation (para 2) is the right one. The rules are fairly simple: a bug that is already known is ineligible, whether or not it's been fixed, is being fixed, or will be ignored.

      • David Pottage · 48 days ago

        That would be fair if Facebook published a searchable list of known bugs that have already been reported so that other bounty hunters did not spend time nailing down a bug only to be denied a bounty.

        As it creates an unfair situation where Facebook sit on a bug for months while they fix it (or not), and all the security researchers who stumble over it and spend time reproducing and describing the bug are out of pocket. (As well as any security managers who might want to tweak their firewall or UTM to filter out the risky behaviour until the bug is fixed)

        Of course, having a public bug list is rare in the commercial world. The only large company I know of that did that was Sun back before they got taken over by Oracle, but I think that if a company is going to offer bug bounties then they need to either pay everyone who reports a valid bug to them before it is fixed, including duplicates, or they need to publish the list of bugs that have already been reported.

        If the code is already secure then doing the first will not be that expensive, and doing the second will not result in a long or embarrassing risk.

  7. sarah · 19 days ago

    instagram comments... can the hacker see the deleted comments? can he get them back??

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog