Hacks For Instagram Accounts Available

  • 1
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    1
    Share

A Developer from London discovered that Instagram account could be hijacked easily and he gave a proof of it But Facebook denied him a bug bounty,saying that they were aware of the problem he describe to them

The flaw is not new and consists in the fact that Instagram does not have encrypted communication implemented for all of its parts, and API calls are made to endpoints over simple HTTP; these contain session cookies in the request headers.

Intercepting the session cookies can be done easily, with free network traffic capture tools and loading them into a web browser provides an attacker access to the Instagram account without having to authenticate

Regular logging into the service is done over an encrypted connection, but ulterior communication with the cookies is carried out without encryption.

With access to the account, a potential attacker could initiate the same actions as if they were the owner, making modifications, adding new content or editing comments. Sending spam or directing followers to pages hosting malicious files are just some of the nefarious activities that can be perpetrated by leveraging this security flaw

Graham made the proof-of-concept available after previously exchanging messages regarding the matter with the Facebook Bug Bounty team. He tweeted about the denial of a bug bounty and said that his next step would be to write an automated tool that enabled mass hijacking of accounts.

“I think this attack is extremely severe because it allows full session hijack and is easily automated,” he said on the page disclosing the flaw.

Graham is not the only one that made this discovery and reported it to Facebook. This week, researcher Mazin Ahmed made the same disclosure, referring to the Instagram app for Android.

After contacting Facebook, he received an answer from the security team letting him know that they were aware of the problem.

“Facebook has discussed this issue at length and plans on moving everything on the Instagram site to HTTPS. However, there is no definite date for the change. At the moment Facebook accepts the risk of parts of Instagram communicate over HTTP and not HTTPS. We consider this a known issue and are working toward a solution in the near future,” the Facebook team told him.

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply