Saturday, July 26, 2014

Session Hijacking in Instagram Mobile App via MITM Attack [ 0-DAY ]




In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.



I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.


Then, I took the session cookies and used it in my computer, and simply “The Victim's Session Has Been Hijacked”.




I have reported this issue to Facebook, and they emailed me saying:



       The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.


Timeline:
Jul 24, 2014 4:35am – Reported the issue.
Jul 24, 2014 4:38am – Received a confirmation email of receiving the submission.
Jul 24, 2014 9:45pm –  Received the first response from Facebook Security.
Jul 24, 2014 9:45pm – I Asked for a disclosure.
Jul 24, 2014 11:56pm – Received the second response from Facebook Security.

Recommendation:
       Until a patch is released ( which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram Mobile App. Instead, use the normal website, it is generally secured and encrypted.

Final Thoughts:
       It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, I believe this issue might be getting exploited in the public by surveillance and agencies.

     Follow me on Twitter @mazen160 , and check my Blog for the latest news and findings.

13 comments:

  1. Thanks for sharing, I will post it in http://www.anti-virus4u.com/ media channels

    ReplyDelete
  2. Nice work. But I think now you won't be considered for https://www.facebook.com/whitehat

    ReplyDelete
    Replies
    1. Unfortunately, it didn't qualify for Fb bounty program. But it is good that everyone knows about the reality of Facebook & Instagram now.
      Thanks,
      Mazin

      Delete
  3. awesome post i really like it thanks for sharing this.
    mobile

    ReplyDelete
  4. Can we talk over email??? I have read your article & found some questions regarding it...
    android event app

    ReplyDelete
  5. Webdesign, Web Development, Software, Matrimony,Bulk SMS, Web Hosting, Online Application, Mobile Development, school management system, college management system, mlm software, recurring and fixed deposit software, inventory software, billing software, lab management, in tamilnadu, india. Loginfotech

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Your post will be rather good, and I’m sure some will find it interesting because it’s about a topic that’s as widely discussed as others. Some may even find it useful.Thanks so much for your post. mobile app development

    ReplyDelete
  8. thanks very much.
    http://www.2n2media.com/mobile-application-development-singapore

    ReplyDelete
  9. Thanks for sharing information.
    recharge offers
    videocontelecom offers new Customers the proposition will be available on Plan voucher (PV) priced at Rs 76, offering All Local Calls at 25P/min only for 6 months including Rs 63 Talk time; 1050 MB data for 3 month and 100 SMS free/day, with first 2 SMS of the day chargeable at rack rate only in Haryana.

    ReplyDelete