In early December, information about security risk of Instagram app for iPhone appeared on the Internet. Bkav experts have conducted verification experiments and detected the risk of losing Instagram accounts not only on iOS but also on Android operating system.

Instagram is a photo sharing app for mobiles. Its users can share photos from their phones to different social networks. This free software offers a variety of effects to edit photos right after the photos are taken, therefore enjoys a huge number of user. Initially, Instagram was especially designed for iOS operating system (on iPad, iPhone, iPod touch), but now there are versions for Android 2.2 and above.

In Instagram, besides sensitive information that is encrypted during data transfer from users' mobiles to server, there is other important information which isn't protected, cookie is a typical example. When a user opens Instagram (hasn't been logged out since previous log-in) on his iPhone, the cookie chain which contains details of user's sign-in session will be sent to the server without being encrypted. Therefore, another user within the same LAN network can steal this cookie chain through the "man in the middle" attack. Then, the attackers can use the cookies to break in user's account and use it like their account (view, edit, delete photos or change account's information, etc.).

The tools which help hackers to carry out "man in the middle" attack in Instagram can be easily found on the Internet.

Cookies of users might be "eavesdropped"

Despite having been reported to the app's manufacturer, this vulnerability in Instagram has not been patched until now. In order to avoid losing Instagram account, users should not use this software in unreliable wifi environments, especially in public such as: cafe shop, libraries, schools, and so on.

Bkav