iPhone users risk having their Instagram accounts remotely hijacked due to a flaw in the way the popular photo-sharing app handles cookies, a researcher's proof-of-concept hack shows.
The problem occurs whenever the Instagram iOS app starts, or any other time the user is required to authenticate himself, said the researcher, Carlos Reventlov.
Reventlov said the Instagram app also sends unencrypted cookies to the Instagram company's Internet servers whenever users comment or "like" photos, allowing an attacker on the same wireless network to send a spoof message that diverts the cookie to the attacker's machine.
With that information, an attacker could hijack an account to post or delete photos, change the user's handle or password or even delete the entire account.
Reventlov said he told Instagram about the flaw on Nov. 11, but hadn't received anything other than an automatic reply. His proof was tested on Instagram 3.1.2 for iPhone but other versions, such as Instagram for Android, may also be affected.
Some Instagram app actions, such as profile editing, are sent through secure HTTPS channels, but the parallel insecure HTTP communications almost make that effort an act of futility.
Reventlov's solution is a simple one: Instagram should use encrypted cookies. Until that happens, there's little the average user can do.
On Sophos' Naked Security blog Graham Cluley slammed Reventlov for publishing details of the exploit and said he would have been better off demonstrating the hack to a journalist who could put pressure on Instagram to patch the bug.
"Reventlov seems to have only given Instagram a couple of weeks to get their act together and fix their systems. That doesn't seem like long enough to me," Cluley said. "Even if he was frustrated at the lack of response from Instagram, publishing information on the net about how to exploit their systems is perhaps the wrong way to get their attention."