Security researcher Mazen has found new critical issue that he had identified session Hijacking vulnerability on Instagram Mobile App. attackers can able users account and successfully access private photos, delete victim's photos, edit comments and also post new images.Mazen had installed the app on phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted.
Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.
Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication.
A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. The session cookies and used it on his computer, and simply “The Victim's Session Has Been Hijacked”.
Researcher reported this issue to Facebook, and they emailed me saying:
The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
