Home / Uncategorized / Security Threat: Unencrypted Cookies in Instagram iOS App

Security Threat: Unencrypted Cookies in Instagram iOS App

If you’re using Instagram to share vintage-style pictures of your cat on your iPhone, you may be opening yourself up to hackers. A security hole has been discovered in the Instagram iOS app that can allow bad guys to gain access to your account, giving them the ability to get data and delete photos.

While the Instagram API uses both non-secure HTTP and secure HTTPs connections, the weird thing is that it uses the non-secure path for your account’s authentication. All it does is store a standard cookie on your device, sent without encryption. What this means is that if you’re using an unsecure connection, like public Wi-Fi at Starbucks, someone could potentially intercept that cookie and use it to authenticate themselves into your account.

The hacker can then utilize a variety of API calls to do all sorts of nasty things with your Instagram account, deleting your #foodporn pics with ease. The sad thing is that the person who discovered this security hole contacted Instagram about it, but hasn’t heard anything back. The solution is actually pretty simple on Instagram’s part: start using secure, encrypted cookies instead.

In the meantime, the actual threat level is pretty low, since it’s unlikely the guy at Starbucks is going to try and hack into your Instagram account, but you should be aware that the threat is there.




About Michael Kwan

A freelance writer and tech geek from Vancouver. Find me at michaelkwan.com and follow me on Twitter @michaelkwan.

Check Also


Try Oculus Rift And Wii To Roam Around On The Back To The Future Hoverboard

Check out how you can fly in virtual space by using an Oculus Rift and a Wii Balance Board.

One comment

  1. Hiram Rodriguez

    annnd no one cares.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>