Instagram’s Android users risk having their accounts hijacked – but is that a threat to your business?

Firesheep 170Four years ago, a simple Firefox plugin called Firesheep demonstrated just how easy it was to break into anybody’s Facebook account if they made the mistake of logging in via an unencrypted WiFi connection.

There you would be, at your local coffee shop, and suddenly your account could be hijacked by a nearby hacker.

The problem was that users were connecting to the social network insecurely – and, at the time, Facebook (and an alarming number of other sites where users logged into accounts) didn’t use HTTPS by default.

Plenty of people downloaded the tool. Whether they were doing it out of curiosity, to prank their friends, to raise awareness of insecure online behaviour or – most worryingly – for malicious purposes, it’s hard to say. But Firesheep certainly raised awareness of the dangerous mix of unencrypted WiFi and an HTTP connection.

Sign up to our free newsletter.
Security news, advice, and tips.

The likes of Twitter and Facebook eventually made HTTPS the default for all visitors to their websites, but that doesn’t mean the problem has gone away entirely.

For instance, this weekend security researcher Mazin Ahmed claimed to have found a critical security problem in the Instagram Android app that could allow a malicious hacker to hijack users’ accounts and view private photographs, post new images, session cookies, and edit comments.

Hijacked instagram session

Ahmed used a simple tool to monitor network traffic, and was startled to discover that the official Instagram app for Android devices was sending information in the clear, rather than properly encrypting the data:

“I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.”

I agree with Ahmed. It is pretty shocking that Instagram’s official app should be acting in such a sloppy fashion – especially when you consider it is used by hundreds of millions of people around the world, and now owned by Facebook who should (surely) have learnt the lesson of secure app communications by now.

It seems Instagram’s Android app is making it far too easy for hackers to not only intercept private wireless communications, but to launch a man-in-the-middle attack, where they could actually hijack an account for their own purposes.

Perhaps most alarmingly of all, in an emailed response to the researcher Facebook said it had no timeline for fixing the issue:

“Facebook has discussed this issue at length and plans on moving everything on the Instagram site to HTTPS. However there is no definite date for the change. At the moment Facebook accepts the risk of parts of Instagram communicate over HTTP and not HTTPS. We consider this a known issue and are working toward a solution in the future.”

But are vulnerabilities like this a threat to enterprises as well as consumers?

Well, yes.

Disregard for one moment that many major brands and celebrities use Instagram as an essential part of their social media marketing, broadcasting messages to millions of users with carefully chosen snapshots. It goes further than that.

It is not only concerning that apps developed by well-known tech companies and distributed in official app stores have shown a sloppy attitude to securing information. It has also become clear that as the consumer and enterprise mobile worlds overlap it’s harder and harder to determine if there is any border at all between them.

What I’m talking about is BYOD (Bring Your Own Device) – and it can be a security nightmare for companies.

Staff bring shiny smartphones into the office and demand to be able to use it to connect to their corporate email, to do work on the move *and* to mess around on the likes of Facebook and Instagram. A few of them may even have a legitimate corporate reason for using such apps. :)

IT teams around world have discovered that it’s simply not practical to both fight the rise of consumerization and keep a happy workforce, and so we have seen mobile device management solutions take off in popularity – giving companies the ability to have some oversight and control over what gets installed on users’ devices and how they are configured.

If your business is concerned about the Android Instagram app’s propensity for leaking data, then maybe it would be wise to disallow its use via your mobile device management software.

At the very least, an alert like this is a salutary reminder that encrypting all communications from your users’ mobile devices using VPN technology might be a very sound idea. That way, even if an app is recklessly not encrypting the data it sends to the net, hackers sniffing at WiFi hotspots are going to have a lot more trouble snooping on activity.

Tripwire security researcher Craig Young agrees:

“Using HTTP in place of HTTPS on a social networking site’s mobile app is just asking for problems. Mobile phones are particularly susceptible to interception by third parties due to the prevalence of open wireless networks. The WiFi protocol designs along with people’s tendency to leave WiFi on all the time, makes it trivial for attackers to intercept smartphone internet connections.

Any Instagram customers should immediately discontinue use of this app to avoid having their accounts hijacked. Firesheep demonstrated clearly that even unsophisticated adversaries can exploit unencrypted services.”

For his part, Ahmed says the advice is clear: don’t use the Instagram Android app until it is properly patched. Facebook may be prepared to “accept the risk”, but that doesn’t mean you have to.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.