Saturday, July 26, 2014

Session Hijacking in Instagram Mobile App via MITM Attack [ 0-DAY ]

In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.

I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.

Then, I took the session cookies and used it in my computer, and simply “The Victim's Session Has Been Hijacked”.

I have reported this issue to Facebook, and they emailed me saying:

       The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.

Jul 24, 2014 4:35am – Reported the issue.
Jul 24, 2014 4:38am – Received a confirmation email of receiving the submission.
Jul 24, 2014 9:45pm –  Received the first response from Facebook Security.
Jul 24, 2014 9:45pm – I Asked for a disclosure.
Jul 24, 2014 11:56pm – Received the second response from Facebook Security.

       Until a patch is released ( which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram Mobile App. Instead, use the normal website, it is generally secured and encrypted.

Final Thoughts:
       It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, I believe this issue might be getting exploited in the public by surveillance and agencies.

     Follow me on Twitter @mazen160 , and check my Blog for the latest news and findings.


  1. Thanks for sharing, I will post it in media channels

  2. Nice work. But I think now you won't be considered for

    1. Unfortunately, it didn't qualify for Fb bounty program. But it is good that everyone knows about the reality of Facebook & Instagram now.

  3. awesome post i really like it thanks for sharing this.

  4. Can we talk over email??? I have read your article & found some questions regarding it...
    android event app

  5. Webdesign, Web Development, Software, Matrimony,Bulk SMS, Web Hosting, Online Application, Mobile Development, school management system, college management system, mlm software, recurring and fixed deposit software, inventory software, billing software, lab management, in tamilnadu, india. Loginfotech

  6. This comment has been removed by the author.

  7. Your post will be rather good, and I’m sure some will find it interesting because it’s about a topic that’s as widely discussed as others. Some may even find it useful.Thanks so much for your post. mobile app development

  8. thanks very much.

  9. Thanks for sharing information.
    recharge offers
    videocontelecom offers new Customers the proposition will be available on Plan voucher (PV) priced at Rs 76, offering All Local Calls at 25P/min only for 6 months including Rs 63 Talk time; 1050 MB data for 3 month and 100 SMS free/day, with first 2 SMS of the day chargeable at rack rate only in Haryana.

  10. Your information about Selenium scripts is really interesting. Also I want to know the latest new techniques which are implemented in selenium. Can you please update it in your website? Selenium training in Chennai

  11. Love it! Thank you so much for sharing this one really well defined all peaceful info,well really like it,Keep it up Love it- Fantasy League App Developers

  12. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. Best software testing training institute in Chennai | Software Testing Training in Chennai | Software testing training institute Chennai

  13. This comment has been removed by the author.