Instagram Bug on iPhone Surrenders Accounts to Attackers

Instagram users are prone to account hijacking, as a vulnerability in the way cookies are handled by the iPhone app could enable attackers to seize control of user accounts.

Although some activities between the app and Instagram`s servers are encrypted, when the app starts it broadcasts a plain-text cookie that could be intercepted by attackers, said Carlos Reventlov who researched the vulnerability.

“An attacker on the same LAN of the victim could launch a simple ARP spoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine,” Reventlov says on his blog. “When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”

If both attacker and user are on the same network, a simple man-in-the middle attack would enable the hacker to take control of the users` account and delete or download photos of the victim. Funneling a users` traffic through an attacker`s computer is relatively easy, making the plain-text cookie vulnerability even more serious.

The researcher also posted proof-of-concept code that demonstrates how the vulnerability is exploited.

“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” said Reventlov.

Mitigating the vulnerability, Reventlov suggests Instagram should enable HTTPS at all times when API requests with sensitive data are made or “use a body signature for unencrypted requests.” After reporting the vulnerability to Instagram on November, it remains unfixed.