Security researcher Stevie Graham was denied a bug bounty by Facebook after he pointed out a major security flaw for Instagram running on iOS.
Maybe he was denied because the bug has been known about since 2012? Or is it because Facebook-owned Instagram didn't think it was that big of a deal?
Either way, it's a big deal now - he's made the hack public and is telling everyone how you can hack into other people's Instagram accounts using a shared Wi-Fi connection.
In the three Tweets above, Graham says:
Last night I reported a serious security hole with @instagram that I've known about for years. They're not going to give me a bug bounty...
In a nutshell some API endpoints are HTTP which means I can most probably take control of your account if we're on the same wifi
Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts. Pretty serious vuln[erability], FB. please fix.
In short, the hack involves taking advantage of an HTTP connection:
Instagram uses HTTP for much of its communications, passing the user’s account name and an identifying account number in the clear. And as Graham demonstrated, there are other pieces of data sent between Instagram’s iOS client and the service that are passed in the clear. Even though the user’s credentials are submitted using a secure connection, information passed back by Instagram’s application interface to the phone client provides a cookie that can be used on the same network without reauthentication to connect via the Web to Instagram as that user and gain access to private messages and other data. “Once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP,” he wrote.
It turns out, this flaw is almost exactly the same as a bug known as Firesheep. Back in 2010, Firesheep forced both Facebook and Twitter to switch to HTTPS connections.
Facebook and Instagram officials still don't seem too concerned either. There's no statement or response yet about the hack.
What should you do in the meantime? If you can help it, don't log in to Instagram from your iPhone or iPad.