Carlos Reventlov, a security researcher, published on Friday a vulnerability in the Instagram app for iPhone and iPod touch. It gives hackers the ability to gain access and control users’ Instagram accounts, allowing them to potentially delete photos or change sensitive profile information.
Reventlov first discovered the vulnerability in the middle of November and quickly sent in notice to Instagram on November 11th, suggesting a fix. It still has not been fixed.
He discovered the issue when running a test on two separate iPhone 4 units, both running iOS 6. “When the victim starts the Instagram app, a plain-text cookie is sent to the Instagram server,” Reventlov writes. “Once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.” He later found that the same hack gives more power to a hacker than originally reported: the hacker could fully take control of the account upon exploiting the vulnerability.
“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” Reventlov added. He says that the fix for Instagram is rather easy. For API calls that utilize sensitive information, simply use HTTPS, or Hypertext Transfer Protocol Secure.
I always have a love-hate relationship writing up security posts like this. The story brings important security information to the public eye, but at the same time, it also does so to hackers with no souls. The risk seems to be low for Instagram’s issue, but as always, remain vigilant.