Stevie Graham, a security researcher who reported an authentication flaw in her iOS software Instagram A few days ago. The researcher did not get any financial reward when he mentioned the bug on Facebook.
Obviously, because the vulnerability was not new, and not because it is not serious. (Vulnerability was reported by 2012.)
So Graham began publishing instructions to the audience directing anyone concerned about how to breach Instagram accounts.
All you need is a shared Wi-Fi, a sniffer app, and the knowledge that you will violate the law if you invade someone's privacy.
Η attack can be done through Firesheep.
You know it Firesheep;
In 2010, social networks like Twitter and Facebook used to handle session authentication like this:
- Accept a connection using HTTPS (safe HTTP), which allows the user to enter the username and code accesss in an encrypted connection.
- The above websites send back a unique "session cookie" or as it is known a "session cookie", which is valid until the disconnection, with a one-time cryptographic code that proves that the user is logged in correctly.
- The acceptance of this cookie was then via an unsafe connection (HTTP).
Thus, one could not "catch" the user's password, but could easily grab his login cookie and violate current connections to Twitter or Facebook in real time.
What do I do with Firesheep?
Firesheep was an add-on for Firefox that automates the queue for connecting a user and then steals login cookies.
This allows accounts to be violated, at least until the owner realizes what's going on and disconnected.
Firesheep, could in turn mobilize companies like Twitter or Facebook to constantly use HTTPS.
Of course like Facebook, and Twitter there are too many others who use an unencrypted session cookie.
So for four years now, it seems that Instagram for iOS works in exactly the same way as explained above.
In short, it allows HTTP connections after the initial entry.
[tweet_embed id = 493469001075679232]
So Instagram users with iPhones and iPads can easily "lose" their accounts, says Stevie Graham and posted five simple steps to do it:
We will tell 1 a very serious reason not to do so
(At least, do not do it on someone else's account unless they give you permission.)
It's illegal.
But if it's really as easy as Graham says, Facebook will probably react very quickly.