1 min read

Instagram Bug on iPhone Surrenders Accounts to Attackers

Liviu ARSENE

December 05, 2012

Instagram Bug on iPhone Surrenders Accounts to Attackers

Instagram users are prone to account hijacking, as a vulnerability in the way cookies are handled by the iPhone app could enable attackers to seize control of user accounts.

Although some activities between the app and Instagram`s servers are encrypted, when the app starts it broadcasts a plain-text cookie that could be intercepted by attackers, said Carlos Reventlov who researched the vulnerability.

Instagram Bug on iPhone Surrenders Accounts to Attackers

“An attacker on the same LAN of the victim could launch a simple ARP spoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine,” Reventlov says on his blog. “When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.”

If both attacker and user are on the same network, a simple man-in-the middle attack would enable the hacker to take control of the users` account and delete or download photos of the victim. Funneling a users` traffic through an attacker`s computer is relatively easy, making the plain-text cookie vulnerability even more serious.

The researcher also posted proof-of-concept code that demonstrates how the vulnerability is exploited.

“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” said Reventlov.

Mitigating the vulnerability, Reventlov suggests Instagram should enable HTTPS at all times when API requests with sensitive data are made or “use a body signature for unencrypted requests.” After reporting the vulnerability to Instagram on November, it remains unfixed.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Drops All Support for Android 2.3.7 and Older Google Drops All Support for Android 2.3.7 and Older
Silviu STAHIE

August 04, 2021

1 min read
A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing A Heads-Up on Stalkerware, the Wolf Software in Sheep’s Clothing
Silviu STAHIE

August 03, 2021

4 min read
NSA Releases Guidance on Securing Wireless Devices While in Public NSA Releases Guidance on Securing Wireless Devices While in Public
Filip TRUȚĂ

August 03, 2021

2 min read