Stevie Graham, is a security researcher who reported a control flaw identity on software of her iOS Instagram A few days ago. The researcher did not get any monetary reward for reporting the bug to Facebook.
Obviously, because the vulnerability was not new, and not because it is not serious. (Vulnerability was reported by 2012.)
So Graham began publishing instructions to the audience directing anyone concerned about how to breach Instagram accounts.
All you need is a shared Wi-Fi, a sniffer app, and the knowledge that you will violate the law if you invade someone's privacy.
Attack can take place via Firesheep.
You know it Firesheep;
2010, social networks such as Twitter and Facebook managed the session authentication somewhat like this:
- Accept a connection using HTTPS (secure HTTP), which allows the user to enter the user name and password in an encrypted connection.
- The above websites send back a unique "session cookie" or as it is known a "session cookie", which is valid until the disconnection, with a one-time cryptographic code that proves that the user is logged in correctly.
- The acceptance of this cookie was then via an unsafe connection (HTTP).
Thus, one could not "catch" the user's password, but could easily grab his login cookie and violate current connections to Twitter or Facebook in real time.
What do I do with Firesheep?
Firesheep was an add-on for Firefox that automates the queue for connecting a user and then steals login cookies.
This allows accounts to be violated, at least until the owner realizes what's going on and disconnected.
Το Firesheep, θα μπορούσε από μόνο του να κινητοποιήσει Companies σαν το Twitter ή το Facebook να χρησιμοποιούν συνεχώς HTTPS.
Of course like Facebook, and Twitter there are too many others who use an unencrypted session cookie.
So for four years now, it seems that Instagram for iOS works in exactly the same way as explained above.
In short, it allows HTTP connections after the initial entry.
[tweet_embed id = 493469001075679232]
So Instagram users with iPhones and iPads can easily "lose" their accounts, says Stevie Graham and posted five simple steps to do it:
We will tell 1 a very serious reason not to do so
(At least, do not do it on someone else's account unless they give you permission.)
It's illegal.
But if it's really as easy as Graham says, Facebook will probably react very quickly.
