A security flaw in popular photo filter and sharing app Instagram could allow hackers to steal user accounts, after it was discovered that certain cookies are sent in plain-text rather than secured. The exploit, discovered by Carlos Reventlov and apparently flagged to the Instagram team in early November, relies on the fact that while log-in and profile editing is done over encrypted links, Computerworld reports, a plain-text cookie is sent to the Instagram servers when the app is loaded. If the hacker intercepts that cookie – among other criteria – they can subsequently gain access to the account and lock out the legitimate user.
“Once the attacker gets the cookie” Reventlov says, “he is able to craft special HTTP requests for getting data and deleting photos.” The flaw was identified and repeated using the latest version of the Instagram app for iOS, v3.1.2, on the iPhone 4, and relies on the fact that the company does not use HTTPS for API requests, Reventlov points out.
For the exploit to work, however, both the hacker and the legitimate Instagram user must be connected on the same LAN. That’s obviously not going to be the case if the Instagramer is using their mobile data connection, but if they’re on the same WiFi hotspot then it leaves them potentially susceptible.
If compromised, the hacked account can give up not only whatever user details have been stored, but access to the photo streams of any friends on the service. It’s also possible to change the password and lock the proper owner out, as well as delete photos that the user has taken.
According to Reventlov, the Instagram team is yet to respond to his comments on the insecurity. It’s unclear if the Android version of the app is susceptible to the same exploit.