An internet security expert, who goes by the name of Carlos Reventlov has found a vulnerability on Instagram app for iPhone and iPod touch. The vulnerability allows hackers to illegally access the user account and make changes against its will, for example: changing and deleting of uploaded pictures.
The vulnerability was found on 11th November 2012 and Instagram authorities were informed but yet haven’t been fixed.
The Instagram app communicates with the Instagram API via HTTP and HTTPs connections.
During a test on two separate iPhone 4 units, both running iOS 6, Reventlov discovered that, login into Instagram profile, editing and uploading an image are done through secure channel, while, few other permissions are sent through plain HTTP without any security interruption, such permissions can be highly dangerous for the user and can allow hacker connected to the same LAN of the victim’s iPhone, to get in the user profile.
He added that:
“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” Reventlov added. He says that the fix for Instagram is rather easy. For API calls that utilize sensitive information, simply use HTTPS, or Hypertext Transfer Protocol Secure.
Proof of concept is available on Reventlov’s blog.
Any way of protecting ourselves?
Paddy, the problem is that Instagram was already reported by the IT Expert almost month ago, yet they didn’t took any measure to remove this vulnerability. So for now, just be careful and keep changing your password every now and then. I will update the readers as soon Instagram updates its security.