A security flaw in photo sharing app Instagram could compromise user accounts, after it was discovered that certain cookies are sent in plain-text without encryption. The exploit, discovered by Carlos Reventlov, and flagged to the Instagram team in November, relies on the fact that login and profile editing is done over encrypted links.

According to Computerworld, a plain-text cookie is sent to Instagram’s servers when the app is loaded. Should a hacker intercept that cookie, among other criteria, they could potentially gain access to the account and lock out the legitimate user.

“Once the attacker gets the cookie,” says Reventlov, “he is able to craft special HTTP requests for getting data and deleting photos.” The exploit was identified and repeated with the latest version of the Instagram app for iOS, v3.1.2, on the iPhone 4, and relies on the fact that the company does not user HTTPS for API requests.

The hack requires that both the legitimate user and the hacker are connected to the same LAN. Instagrammers are safe using their mobile data connections, but using the same Wi-Fi hotspot leaves them susceptible.

The hacked account can provide the hacker not only with user details, but also with access to the photo streams of any of the user’s friends. It’s also possible to change the password, locking the legitimate owner out, and to delete photos the user has uploaded.

Reventlov says the Instagram team has not yet responded to his comments on the issue. It’s unclear if the Android version of the app is susceptible to the exploit.

Comments

Previous articleSome New iMacs Marked ‘Assembled in USA’
Next articleiPad-Only Newspaper ‘The Daily’ Shuts Down
Brad Merrill is a journalist, writer, entrepreneur, and the editor in chief of VentureBreak. His writing currently appears in various places across the web, including his blog. Brad is passionate about startups, technology, and their influence on life and culture. This passion—combined with his drive to expose the truth in every story—led him to found VentureBreak in 2010. He is known for his honest reporting and his sometimes-extreme opinions. Some of his work has been referenced by such notable publications as the Wall Street Journal.