London-based security researcher Stevie Graham discovered a configuration problem in Instagram API years ago and until now, the popular photo-social networking app has not yet transition to the full https encryption. The flaw poses security risks to Apple device owners who open their Instagram accounts in public Wi-Fi hotspots.
Hackers can access the targeted user accounts as long as they are connected to the same public Wi-Fi network. Graham, who describes himself as a ‘hacker at large,’ created a tool called Instasheep that is capable of hacking many Instagram accounts quickly. The name was derived from a Firefox extension hacking tool dubbed Firesheep.
He discovered that the Instagram API (application programming interface) transmits unencrypted request such as cookie or a data file that shows if the user is still logged in. Once a hacker is connected to a public Wi-Fi hotspot without encryption or has an outdated WEP encryption, he can deploy the man-in-the-middle attack or collect the network traffic. He can then steal the session cookie and use it to take control of the targeted Instagram users who are also in the same public network.
As of press time, Instagram Direct, a feature that allows users to share photos and videos in private sessions, is fully encrypted, while the company is still working on the Instagram’s main feed encryption to make sure that the entire transition will not affect the overall service performance.
A fully encrypted website shows the ‘https://” in the URL bar with a small padlock icon beside it. His discovery of the configuration problem compelled Internet companies to secure the connections from and in-between the servers. “I think this attack is extremely severe because it allows full session hijack and is easily automated,” Graham said, and full transition could be technically challenging as well.