Instagram may have become the most popular and most used photo-sharing app for both iOS and Android platforms but just like any other app, it’s not perfect. In fact, a new loophole has been discovered recently. According to experts, the new Instagram security flaw may allow attackers to delete photos or even take over accounts. The loophole was discovered in Instagram version 3.1.2 running on an iOS device.
The Instagram API uses both HTTP and HTTPS connections to send requests and data. Sensitive information such as profile editing data and login credentials are often sent via HTTPS because it is a secured channel. But it has been discovered recently by folks at reventlov.com that some data are actually sent using the other channel making the vulnerable to exploitation by some attackers who may have known the loophole.
If data are sent via HTTP channel, the only form of authentication required is a standard cookie that is often sent without encryption every time a user starts the Instagram app. Attackers that might be on the same network as with the iPhone or iPad may be able to intercept the data through a simple arpspoofing attack and can exploit the information to their liking. If it happens and attackers may be able to authenticate using intercepted information, they already have an ultimate access to the account and they can change login credentials anytime or delete photos.
The folks who have discovered the flaw made it public on November 10th and they contacted Instagram about it a day later but all they got was an automated response. Up until now, this issue may still be on-going so iOS device owners who might be using Instagram more often should use HTTPS channel most of the times, or never to use just any open WiFi access point.
This issue might only concerns Instagram but more often, attackers know exactly what to find to be able to gain access to other accounts including Facebook, Twitter and even emails. Precautionary measures should be taken especially by people who might be storing some sensitive data on their devices.