Instagram fansbeware. A GitHub user has just posted information about a substantial security flaw in the iOS app that could allow a malicious third-party to gain full access to an account on the social network.
Steve Graham posted the information, saying Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers allowing full session hijack by a malicious actor.
At GitHub, Graham lays out the complete steps to reproduce the issue, reporting he was able to perform a session hijack on his own account while someone else was browsing Instagram on his iPhone.
Hackers can only hijack your Instagram account if they are on the same open or WEP-encrypted WiFi access point when youre using the app. Still, Graham believes the issue is major:
I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.
In the comments section, Graham said he informed Facebook of the issue. The response he received was less than thrilling:
I adhered to the FB responsible disclosure procedure. FB replied saying they’re already aware of the issue and closed the ticket.