In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.
I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.
Then, I took the session cookies and used it in my computer, and simply “The Victim's Session Has Been Hijacked”.
I have reported this issue to Facebook, and they emailed me saying:
The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.
Jul 24, 2014 4:35am – Reported the issue.
Jul 24, 2014 4:38am – Received a confirmation email of receiving the submission.
Jul 24, 2014 9:45pm – Received the first response from Facebook Security.
Jul 24, 2014 9:45pm – I Asked for a disclosure.
Jul 24, 2014 11:56pm – Received the second response from Facebook Security.
Until a patch is released ( which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram Mobile App. Instead, use the normal website, it is generally secured and encrypted.
It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, I believe this issue might be getting exploited in the public by surveillance and agencies.
Follow me on Twitter @mazen160 , and check my Blog for the latest news and findings.