Security Threat: Unencrypted Cookies in Instagram iOS App
If you’re using Instagram to share vintage-style pictures of your cat on your iPhone, you may be opening yourself up to hackers. A security hole has been discovered in the Instagram iOS app that can allow bad guys to gain access to your account, giving them the ability to get data and delete photos.
While the Instagram API uses both non-secure HTTP and secure HTTPs connections, the weird thing is that it uses the non-secure path for your account’s authentication. All it does is store a standard cookie on your device, sent without encryption. What this means is that if you’re using an unsecure connection, like public Wi-Fi at Starbucks, someone could potentially intercept that cookie and use it to authenticate themselves into your account.
The hacker can then utilize a variety of API calls to do all sorts of nasty things with your Instagram account, deleting your #foodporn pics with ease. The sad thing is that the person who discovered this security hole contacted Instagram about it, but hasn’t heard anything back. The solution is actually pretty simple on Instagram’s part: start using secure, encrypted cookies instead.
In the meantime, the actual threat level is pretty low, since it’s unlikely the guy at Starbucks is going to try and hack into your Instagram account, but you should be aware that the threat is there.