Sophos Cloud Optix
Stevie Graham, a security researcher who reported an authentication flaw in Instagram’s iOS software a few days ago, was denied a bug bounty by Facebook.
Presumably, that’s because the flaw isn’t new, rather than because it isn’t serious. (Indeed, we first wrote about this problem in 2012.)
So Graham has gone public with instructions on how to hack other people’s Instagram accounts.
All you need is shared Wi-Fi, a packet sniffer, and the willingness to break the law to violate someone’s privacy.
Simply put, the attack is just Firesheep all over again.
Remember Firesheep?
Social networking security, 2010-style
Back in 2010, social networks like Twitter and Facebook handled session authentication like this:
- Accept a connection using HTTPS (secure HTTP), and let the user enter his username and password over an encrypted connection, to stop criminals from sniffing the credentials.
- Send back a unique “session cookie”, valid until logout, with a one-time cryptographic code that proves the user has already logged in correctly.
- Subsequently accept that cookie over insecure (HTTP) connections.
So you couldn’t sniff the user’s password for next time, but you could sniff his session cookie and hijack his current Twitter or Facebook session in real time.
Enter Firesheep
Firesheep was a Firefox plugin that automated the process of waiting for users to login and then stealing their session cookies.
That made it a point-and-click exercise to take over their accounts, at least until they realised what was going on and logged out.
The ostensible motivation for Firesheep, even though it was ripe for abuse, was to create a public kerfuffle big enough to push services like Twitter and Facebook to use HTTPS all the time.
And that is exactly what Facebook, Twitter and and others did, because it solved the problem: no unencrypted session cookie to sniff meant no session to hijack.
2010 revisited
Fast forward nearly four years, and it looks as though the Instagram iOS app works in almost exactly the same way as explained in the 1-2-3 list above.
In short, it allows HTTP connections after the initial login.
So Instagram users with iPhones and iPads can be hijacked with ease, or so Stevie Graham claims.
So easily, in fact, that he gives five simple steps to do it:
Ouch.
What next?
We have just three words of advice: don’t do this.
(At least, don’t do it to someone else’s account, unless they explicitly give you permission.)
It’s definitely not nice, and it’s almost certainly not legal, wherever you may live.
But if it really is as easy as Graham says, let’s hope Facebook gets onto it pretty quickly.
In the meantime, you probably want to give up logging into Instagram from your iPhone or iPad.
And then we can worry about how to create a public kerfuffle big enough to raise the bar for the security of mobile apps in general, because we seem to keep writing about how they are lagging behind…
TAKE OUR POLL
(If you would like to explain your reasoning, please leave a comment below. You may remain anonymous.)
My reasons for voting No on this one (though I wouldn’t vote No on all such cases): 1. It really isn’t that groundbreaking an attack. Everyone already knows about unencrypted session cookies. 2. In any other field, the words “Pay me or I’ll tell everyone your secret” is called “Extortion.” The threat to go public is to encourage security problems to be fixed, not for personal gain.
It sounds to me as though his motivation for going quite so public was some combination of pride (how dare you ignore me) and concern (this really is serious, guys, don’t ignore me), not spite over missing out on a financial reward.
I agree, however, that his tweet is a bad look. It does reek of “I’ll show you!” rather than “Let’s do something about this.” Which is a pity.
I assumed his reasoning to be more along the lines of “Now that the method of attack is public knowledge, you’ll have to fix the problem”.
Who knows. I hope it works either way.
I usually tend to fall on the side of full disclosure than responsible disclosure, so I’m fine with what he’s doing. Sure, he might come off as a dbag, but the result is a result I’d like. Exposure, discussion, fixes, improvement.
This is an “old” weakness. It hasn’t even yet been fixed. Maybe now it will.
G’day mate! Paul, you have a shiny software tool I lust after. The images in this article have ‘torn, shadowed edges’ similar to a website tool I used called “Curate This”. (but it’s used for another reason)
Aesthetically the tool you use is superior to my process of cropping tweets out of a screenshot to ‘paste’ in at a website of mine without tweet embedding capability.
Might I beg you to disclose where to get the tool you used? While I hate being a bludger, I’d also hate to have to swim across the pond to bail you up, or sic the dingos on you.
I mostly use GIMP and Keynote on OS X. (Both are free, as it happens. At least, Keynote is free if you have OS X. And OS X is free, if you have a Mac 🙂 The faux rough edges are one of Keynote’s so-called “picture frame” borders.
So Keynote is sold at an extortionate, over-inflated price then 😉
I don’t understand your advice of not logging into Instagram on an iOS device. Surely just not logging on in a shared WiFi hotspot is enough. If you are using 4G, home or corporate encrypted WiFi you are fine, right?
Hmmm. I wouldn’t say you are “fine.” I’d say it is much less likely someone might sniff your session cookie, but the iOS app is still sending data that ought to be encrypted over an unencrypted connection. That’s wrong in any language, on any network.
So my advice stands. I wouldn’t use the Instagram app on iOS at all until it’s fixed. Session cookies for social networking accounts shouldn’t be in unencrypted connections, full stop.
Your risk is very probably lower on your corporate network that at a coffee shop, if you really can’t give up Instagram for the time being.
But I’m not going to say that because there’s probably a lower risk, its’ definitely OK. (After all, I know nothing about the security of your corporate network 🙂
(When Twitter and Facebook switched to HTTPS as a result of Firesheep, they didn’t do it only for Wi-Fi connections.
I assume that if you were on a public wi-fi perusing your instagram acct on iOS, but connected to a VPN, you’d be safe and sound.
I think the “real” advice should be – Get a VPN if you are going to be on a public wi-fi.
….but also agree with Paul, that the app shouldn’t be doing that!!!
You can get a free VPN (along with all the other security features in our UTM, including spam and web filtering, free anti-virus for Windows managed from the UTM, firewall, network intrusion detection, and more) here:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
A VPN forces all your traffic back to your home network over an encrypted connection and only then lets it emerge onto the internet back out through your home firewall and router (or UTM 🙂
So free Wi-Fi hookups don’t end up less secure that what you are used to at home.
I never use instagram and I think it’s safe to use Apple’s iPhone even if some keyloggers like iKeyMonitor exists. The simple trick is “DO NOT JAILBREAK”. Hackers crack into iPhones when they are jailbroken and didn’t change the root password. The default root password opens a door to hackers, when the device is not jailbroken, the door closed.
I voted Yes because I am assuming that the bounty denial was interpreted (probably accurately) as a “we know, but are busy doing other things….we’ll get to that later” sort of thing. Sometimes companies need an extra “push” to escalate issues. This definitely serves to that end…but I agree with others, there is definitely a lot of pride in the divulgence as well….but how many software devs (self included) don’t think they are “all that”?
I reckon my own explanation (para 2) is the right one. The rules are fairly simple: a bug that is already known is ineligible, whether or not it’s been fixed, is being fixed, or will be ignored.
That would be fair if Facebook published a searchable list of known bugs that have already been reported so that other bounty hunters did not spend time nailing down a bug only to be denied a bounty.
As it creates an unfair situation where Facebook sit on a bug for months while they fix it (or not), and all the security researchers who stumble over it and spend time reproducing and describing the bug are out of pocket. (As well as any security managers who might want to tweak their firewall or UTM to filter out the risky behaviour until the bug is fixed)
Of course, having a public bug list is rare in the commercial world. The only large company I know of that did that was Sun back before they got taken over by Oracle, but I think that if a company is going to offer bug bounties then they need to either pay everyone who reports a valid bug to them before it is fixed, including duplicates, or they need to publish the list of bugs that have already been reported.
If the code is already secure then doing the first will not be that expensive, and doing the second will not result in a long or embarrassing risk.
instagram comments… can the hacker see the deleted comments? can he get them back??
This was a risky thing to do, and probably not worth it. What if he made things worse by doing this? This very well could have ended in disaster and encouraging the problem until it was noticed is very reckless and probably resulted in many innocent people being hacked for no reason.
My account was hacked and vile stuff sent to people I alerted them then deleted my Instagram account
I logged in through my wifi on iPhone and contacted Instagram to report but they are not interested in individual accounts
Can the hackers be traced as I am concerned it looks like the messages have come from me or my wifi
Thanks
Do u know how they hacked your account
What is the minimum age to get a Instagram account.
This is the perfect site for anybody who wants to find out about this topic.
You understand a whole lot its almost hard to argue with you (not that I actually will need to…HaHa).
You certainly put a brand new spin on a topic which has been discussed for many years.
Wonderful stuff, just wonderful!