HIPSTER PHOTO-SHARING APP Instagram will switch to HTTPS following the discovery of a zero-day vulnerability in the mobile app that is believed to allow an attacker to hijack a user's account.
Instagram co-founder Mike Krieger revealed news of the move when he responded to the publication of a potential vulnerability on the app's iOS version. He noting that the company plans to finish upgrading to HTTPS, which refers to Hypertext Transfer Protocol over Secure Socket Layer - a communications protocol for secure communication over a computer network - for the entire service "soon".
"We've been steadily increasing our HTTPS coverage Instagram Direct, for example, which we launched in late 2013, is 100 percent HTTPS," said Krieger in a comment responding to the flaw on Y Combinator's Hacker News website. "For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we're actively working on rolling out HTTPS while making sure we don't regress on performance, stability, and user experience."
The major technical flaw in the photo sharing app was discovered by security expert Mazin Ahmed, who wrote about his findings in a blog post. He said he discovered the issue when he used Wireshark to look for signs of unencrypted data going through the network. The flaw means the app faces a high risk of hacking when accessed via public WiFi or even through the mobile phone network.
From his findings, Ahmed suggested that an attacker could intercept photos and even the victim's username and ID. He notified Facebook of the flaw, but had not received any word on when the vulnerability would be patched until Krieger responded on Y Combinator.
"I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS," Ahmed warned in the blog. "Until a patch is released (which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram mobile app. Instead, use the normal website, it is generally secured and encrypted."
Krieger said that HTTPS is a "project" Instagram is hoping to "complete soon", and the firm will share its experiences in the switch over so other companies can learn from it as well.
Third party Instagram viewing apps aren't a good alternative, either, it seems. In May, security firm Malwarebytes warned Instagram users that downloading third-party applications that enable them to download their Instagram photos and videos to desktop machines could expose them to a number of security vulnerabilities.
The company said that the possible threats - files and websites alike - that take advantage of a software's popularity could spell bad news for users in terms of internet congestion, unwanted redirection to websites and possible installation of other programs without the user's consent. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted