A security researcher on Friday published a proof-of-concept attack on Instagram for iOS that could allow malicious users to remotely hijack victims’ accounts.
The session-riding vulnerability, discovered by Carlos Reventlov, springs from how Instagram handles cookies.
It’s one of two issues associated with that cookie-handling that his research found in mid-November.
Reventlov notified Instagram of the problem on 11 November, but outside of an automated response, he claims he hasn’t heard a peep, and the security hole still needs patching.
He writes that the issue stems from Instagram’s method of sending an unencrypted, plain text cookie to the Instagram server when users start the app and perform any action that requires authentication, such as liking or unliking pictures.
A malicious user on the same LAN as the victim could launch a simple spoof with a bogus Address Resolution Protocol (ARP) message that tricks mobile devices into redirecting port 80 traffic through the attacker’s machine, Reventlov says.
That gives the attacker access to Instagram’s plain text cookies. With the cookies in hand, he or she can log into a victim’s account, delete photos, and edit profile details
A second risk that Reventlov shared with Instagram makes iPhones susceptible to eavesdropping and man-in-the-middle (MiTM) attacks that could enable an attacker to delete photos and download data off a victim’s device.
As it now stands, Instagram communicates with the Instagram API via HTTP and HTTPS connections.
Whereas sensitive activities, such as login and editing profile data, are sent through a secure channel, other requests are sent through plain HTTP without a signature.
The only authentication method for some HTTP calls is a standard cookie, sent unencrypted, when a user starts the Instagram app, Reventlov writes.
The security issues were tested on Instagram 3.1.2 for iPhone, which the Facebook-owned Instagram released on 23 October.
But as Secunia noted in its advisory on the plain-text disclosure issue, other Instagram versions may be affected.
The threat level is low, according to Reventlov.
The fix for the session-riding vulnerability is pretty simple, Reventlov says: The Instagram website should just use secure cookies.
As far as the earlier issue goes, Reventlov suggests that while we’re waiting for a fix, users stick to HTTPS for all API requests that could contain sensitive data, such as photo URLs.
Also, the researcher recommends appending a signature for unencrypted requests.
Reventlov’s revelations of the security vulnerabilities, and the short time period he has given Instagram to fix them before disclosing details, have not won him universal admiration.
Sophos’s Graham Cluley, for instance, believes that even if Reventlov has not received a helpful response from the makers of Instagram, publishing details of how to exploit the alleged security flaws was irresponsible.
“Reventlov seems to have only given Instagram a couple of weeks to get their act together and fix their systems. That doesn’t seem like long enough to me,” said Cluley. “Even if he was frustrated at the lack of response from Instagram, publishing information on the net about how to exploit their systems is perhaps the wrong way to get their attention. Instead, I would have advocated Reventlov privately demonstrating the flaw to a responsible journalist, who could have put pressure on Instagram to reveal its plans for fixing the problem.”
Cluley believes that public disclosure of vulnerabilities, including proof-of-concept code, can increase the chances of malicious hackers exploiting systems which contain security holes – and don’t necessarily benefit the end user.
Whichever side of the debate you sit on, let’s hope that Instagram fixes the problem promptly with the minimum of fuss.