If you are an Instagram addict and could not resist taking and sharing photos anywhere, including public places where a Wi-Fi connection is available, you should be aware of some risks.
Reports circulated just recently that there is a configuration error in the popular photo sharing app for iOS devices, which enables attackers to seize control of your personal account when you connect to a public wireless network.
Security researcher Stevie Graham first reported on the Instagram configuration issue one year ago and now plans to develop a tool for compromising Instagram accounts if only to call attention to the issue, which he says Facebook keeps neglecting.
The kinds of attack that could potentially hit Instagram vary on many occasions, but one thing is sure: they will all be extremely damaging because hackers could then hijack a full session by using an automatic software program. This is especially attractive to campaigners of spam messages who can accumulate thousands of Instagram accounts, manipulate them and distribute spams on a huge scale.
It is worth pointing out that this configuration error on Instagram is not anything new to the company and to Facebook, which acquired the company in 2012, as well. In fact, most Internet companies have implemented encryption as way to address many security issues on the Web, including the Instagram configuration issue.
What is new, however, is the discovery of vulnerabilities with such an error. But even that is not surprising. Sure the security community has seen it coming.
Moving the website into an encryption-protected protocol such as the HTTPS is paramount in this situation since Instagram’s application programming interface sends unencrypted requests to its network, where hackers could find loopholes and intrude the communication to execute their malicious intentions.
One method that is popularly known to be effective in carrying out such an attack is man-in-the-middle, in which an attacker can steal session cookies to take control of a certain Instagram account. These cookies could be transmitted by Instagram API calls through the unencrypted ecosystem.
As always, Facebook would refuse to comment on the problem. Although the social networking site has recently transitioned to an encrypted environment, many of its services are still vulnerable to attacks and compromises.
Part of that is the effect of migrating to encryption on the performance of various Instagram features. For one, encryption might slow down a performance. It could also undermine the business of advertising. But Facebook has promised to complete a program that would encrypt its services, including Instagram, without sacrificing performance.
