Two days ago, we reported at http://professionalhackers.in about a critical issue in the most popular image and video sharing service, Instagram app for mobiles, that allows an attacker to hijack users’ account and successfully access private photos, delete victim’s photos, edit comments and also post new images.
Yesterday, a London developer Stevie Graham has released a tool called “Instasheep” a play on the 2010 Facebook stealer Firesheep, a Firefox extension that can be used to compromise online accounts in certain circumstances automatically using a click of mouse.
Graham discovered the Instagram issue years ago and was shocked when he realized it hadn’t been fixed by Facebook yet. He released the tool after claiming Facebook refused to pay a bug bounty for his reported vulnerabilities affecting the Instagram iOS mobile application.
Graham tweeted about the issue: “Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts,” he wrote. “Pretty serious vuln, FB. please fix.”
The largest social networking giant Facebook was reportedly aware of the issue related to its Instagram iOS app and was working on a fix by deploying HTTPS across its portfolio, but still it is not clear that how much time it will take.
The right use of vulnerability could expose iOS app users to man-in-the-middle (MitM) attacks as we earlier said Instagram sends some unencrypted data with the session cookie. An attacker could then reuse these intercepted HTTP session cookies on another system/browser to hijack the session of the victim’s Instagram account.
“I don’t agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora’s Box has been blown apart,” Graham wrote on YCombinator.
Instagram co-founder Mike Krieger has responded to issue via the same YCombinator website and said, “We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”
Graham rolled out an “Instasheep” tool automating process in order to force Facebook’s hand, although the company ought to speed up its efforts on deploying HTTPS.