Instagram vulnerability on iPhone allows for account takeover

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.computerworld.com/s/article/print/9234236/Instagram_vulnerability_on_iPhone_allows_for_account_takeover

December 2, 2012 (IDG News Service)

A security researcher published on Friday another attack on Facebook's
Instagram photo-sharing service that could allow a hacker to seize
control of a victim's account.

The attack was developed by Carlos Reventlov around a vulnerability he
found within Instagram in mid-November. He notified Instagram of the
problem on Nov. 11, but as of last Tuesday, it had not been fixed.

The vulnerability is in the 3.1.2 version of Instagram's application,
released on Oct. 23, for the iPhone. Reventlov found that while some
sensitive activities, such as logging in and editing profile data, are
encrypted when sent to Instagram, other data was sent in plain-text.
He tested the two attacks on an iPhone 4 running iOS 6, where he first
found the problem.

"When the victim starts the Instagram app, a plain-text cookie is sent
to the Instagram server," Reventlov wrote. "Once the attacker gets the
cookie he is able to craft special HTTP requests for getting data and
deleting photos."

The plain-text cookie can be intercepted using a man-in-the-middle
attack as long as the hacker is on the same LAN (local area network)
as the victim. Once the cookie is obtained, the hacker can delete or
download photos or access the photos of another person who is friends
with the victim.

The Danish security company Secunia verified the attack and issued an advisory.

Reventlov continued to study the potential of the vulnerability and
found the cookie issue could also allow the hacker to take over the
victim's account. Again, the attacker has to be on the same LAN as the
victim.

The compromise uses a method called ARP (Address Resolution Protocol)
spoofing, where the web traffic of the victim's mobile device is
channeled through the attacker's computer. Reventlov wrote that it is
then possible to intercept the plain-text cookie.

By using another tool to modify the headers of a web browser during
transmission to Instagram's servers, it is possible to then sign in as
the victim and change the victim's email address, resulting in a
compromised account. The fix for Instagram is easy: the site should
use always use HTTPS for API requests that have sensitive data,
Reventlov wrote.

"I've found that many iPhone apps are vulnerable to such things but
not too many are high-profile apps like Instagram," Reventlov wrote in
an email to IDG News Service.

Neither Instagram nor Facebook officials could be immediately reached
on Monday. Reventlov wrote in his advisories that he received an
automated reply when he told Instagram of the issue.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.