A security flaw in photo sharing app Instagram could compromise user accounts, after it was discovered that certain cookies are sent in plain-text without encryption. The exploit, discovered by Carlos Reventlov, and flagged to the Instagram team in November, relies on the fact that login and profile editing is done over encrypted links.
According to Computerworld, a plain-text cookie is sent to Instagram’s servers when the app is loaded. Should a hacker intercept that cookie, among other criteria, they could potentially gain access to the account and lock out the legitimate user.
“Once the attacker gets the cookie,” says Reventlov, “he is able to craft special HTTP requests for getting data and deleting photos.” The exploit was identified and repeated with the latest version of the Instagram app for iOS, v3.1.2, on the iPhone 4, and relies on the fact that the company does not user HTTPS for API requests.
The hack requires that both the legitimate user and the hacker are connected to the same LAN. Instagrammers are safe using their mobile data connections, but using the same Wi-Fi hotspot leaves them susceptible.
The hacked account can provide the hacker not only with user details, but also with access to the photo streams of any of the user’s friends. It’s also possible to change the password, locking the legitimate owner out, and to delete photos the user has uploaded.
Reventlov says the Instagram team has not yet responded to his comments on the issue. It’s unclear if the Android version of the app is susceptible to the exploit.