Instagram on iPhone Could Allow Account Hijacking


Facebook’s popular photo sharing app for iOSInstagram has a vulnerability that could make your account susceptible to be compromised. A security researcher Carlos Reventlov published on Friday a vulnerability in Facebook's Instagram photo-sharing service that could allow a hijacker to seize control of a victim's account.

His report reads:

"The Instagram app communicates with the Instagram API via HTTP and HTTPs connections.  Highly sensitive activities, such as login and editing profile data, are sent through a secure channel. However, some other request are sent through plain HTTP without a signature, those request could be exploited by an attacker connected to the same LAN of the victim’s iPhone."

The vulnerability is in the 3.1.2 version of Instagram's application the app is susceptible to eavesdropping and man in the middle attacks that could lead anyone to delete photos and download private media without the victim’s consent.  The vulnerability was found on 11th November 2012 and Instagram authorities were informed but yet haven’t been fixed.

Carlos Reventlov suggested fixes are use https for all API requests that could contain sensitive data, such as photo URLs or use a body signature for unencrypted requests.