What else is your Instagram sharing? The troubled photo sharing service is seeing user drop off in the millions, as controversial changes to their Terms of Service last month have cost Instagram nearly half its users by some estimates. But what else should users who are still keeping the faith or are on the line of account termination worry about when it comes to Instagram’s security?
SecureState, an information security consulting firm, reached out to us to share their recent findings on Instagram/mobile app security. What they found was that Instagram does indeed suffer from some old-hat vulnerabilities when it comes to security and identity protection.
I’ll save you a lot of tl;dr headache and just tell it to you straight: Instagram’s security is hardly state-of-the-art.
Alright, what’s the problem?
SecureState found (while reviewing network traffic for Instagram’s Android app) that the initial authentication request (when you log in) occurs over an SSL connection to the home site. Authentication requests after that occur in cleartext over HTTP.
After successful authentication, the user is returned to a sessionid cookie, which is passed with all subsequent requests to identify the user. The cookie is cached and passed on for any request to the home site from then on. So far, so good: Everything is encrypted.
The above figure shows the request being made over HTTP and the sessionid cookie being sent along for the ride. If you, the user, is on a shared network (WiFi at Starbucks, for instance) someone can get that sessionid cookie. Once they have that, they can make their own requests to Instagram’s API while impersonating you, the user, to retrieve information. They can post for you or completely take over your account.
Sounds pretty complex. Who would bother?
So far, this is pretty complex hacker stuff, but the problem is that a malicious user can modify your account to become public, which is a huge privacy concern. It can be pretty embarrassing depending on what you’ve got on there.
All of the other requests to the API occur over HTTP, which will leak the sessionid. In a well-secured social environment, requests should all be made over SSL to protect confidentiality and message integrity.
Okay, I’m convinced, how do I fix it?!
You can’t. But Instagram can. Addressing this type of thing usually starts all the way back in the early phases of the Software Development Lifecycle (SDLC). Crafting a solution means that the API endpoint only serves requests over SSL and doesn’t accept connections on cleartext HTTP protocols.
Sensitive cookies should be marked with the “secure” flag, so that any browser or library which handles cookies doesn’t disclose them over non-SSL connections. If custom code is used to handle cookies, they should respect the “secure” flag and handle them accordingly.
Finally, the server’s SSL certificate should be verified in order to make sure it hasn’t been revoked, matches the hostname, and is signed by a trusted CA. Android’s TrustManager does this by default, but developers can (and do) override this class with their own version.
The connection will still occur over SSL, but it can still be attacked with not warning to the user and is just as dangerous as not using SSL at all.
Don’t forget that you can also link your Instagram to … gee … ALL of your other social profiles. We’ve reached out to Instagram reps on this issue, and we’ll get back to you with their response.