Instagram users are prone to account hijacking, as a vulnerability in the way cookies are handled by the iPhone app could enable attackers to seize control of user accounts.
Although some activities between the app and Instagramâ€™s servers are encrypted, when the app starts it broadcasts a plain-text cookie that could be intercepted by attackers, said Carlos Reventlov who researched the vulnerability.
â€œAn attacker on the same LAN of the victim could launch a simple ARP spoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine,â€ Reventlov says on his blog. â€œWhen the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.â€œ
If both attacker and user are on the same network, a simple man-in-the middle attack would enable the hacker to take control of the usersâ€™ account and delete or download photos of the victim. Funneling a usersâ€™ traffic through an attackerâ€™s computer is relatively easy, making the plain-text cookie vulnerability even more serious.
The researcher also posted proof-of-concept code that demonstrates how the vulnerability is exploited.
“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” said Reventlov.
Mitigating the vulnerability, Reventlov suggests Instagram should enable HTTPS at all times when API requests with sensitive data are made or â€œuse a body signature for unencrypted requests.â€ After reporting the vulnerability to Instagram on November, it remains unfixed.