Over the last decade, wireless networks have been a prime target for hackers. The ability to sniff out traffic belonging to others, and with it any unencrypted credentials or other valuable information, is what drives them. Because of this, most popular services today, such as Twitter, Facebook and Gmail, have moved to HTTPS for all authenticated communication. Instagram, however, lags behind.
Consider who the users are
To the security minded, this may not come as much of a surprise — another social media service that fails to provide basic protection, nothing new there.
What makes this one different to me, though, is who many of the actual users of Instagram are, and where they use the service from: Kids, in schools.
Many parents allow their children to use Instagram on the condition that they protect their profiles. By protecting an Instagram profile, only those added as friends may view the owner’s profile and pictures.
Some use Instagram for the sole purpose of gaining exposure, and that’s fine. For others, though, and especially the young, this can attract attention from the wrong kind of crowd. Getting attention from people you don’t know or trust can lead to anything from a young girl getting her pictures uploaded to a pornographic site, to someone in a van pulling a young boy in through the side door.
Whenever you bring up your phone, connect it to the corporate / coffee shop / school wifi and open the Facebook app, all relevant communication with Facebook’s servers will be encrypted. Even on public and unprotected wireless networks, this means that an attacker can’t realistically decode what’s being sent and received.
With Instagram, this isn’t the case. Sure enough, editing your profile will take you through an encrypted connection, but browsing the image stream and looking through the pictures you and your friends have posted, is not encrypted. This means that anyone on the same wireless network may capture this communication and steal key pieces of it. These key pieces can be used to bypass authentication, and let the hacker browse Instagram through the victim’s account, on the hacker’s own computer.
Until Instagram makes HTTPS the default for all interaction with their servers, or at least an opt-in setting, it’s use should be avoided through shared wifis.
Using it via the mobile network, e.g. 3G/4G, is (relatively) safe, but that does come with increased costs.
This really is your run-of-the-mill session hijacking vulnerability, but I’ll describe it real quick for good measure.
When you open the Instagram app, a request such as the following is sent to their servers:
GET /api/v1/feed/timeline/? HTTP/1.1 Host: instagram.com Accept-Encoding: gzip, deflate Accept: */* Cookie: csrftoken=[...]; ds_user=einaros; ds_user_id=[...]; sessionid=[...]; mid=[...] Connection: keep-alive Accept-Language: en User-Agent: Instagram 4.1.3 (iPhone3,1; iPhone OS 6_1_3; nb_NO; en-GB) AppleWebKit/420+
Bringing these cookies into the browser, and opening the same url, yields an error reading
This, this page could not be found.
Looking closer at the
sessionid cookie, it contains a setting which seems to indicate that the platform the session is active on is a phone. So, what happens then if you replace the User-Agent of your browser with e.g. that of an Android client?
Well, you’re allowed entry.