Alert! Alert! If you use Instagram's Android app, complete strangers could be looking at your photos of appetizers and makeup techniques right now! ...which is kind of the point of Instagram, I suppose. But security researcher Mazin Ahmed discovered that the app uses standard HTTP to transmit photos, cookies, and authentication (including usernames and unique IDs), instead of the encrypted HTTPS protocol. As Mr. Mackie is so fond of saying, that's bad.


Using a set of freely-available tools, Ahmed was able to hijack the app's connection from a PC on the same network and authenticate as the relevant user. It's a fairly standard technique for hackers, which is why most sites and services with any kind of log-in functionality usually use HTTPS by default, including Instagram's owner, Facebook. The fact that the app doesn't use this is pretty alarming.

I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.

Ahmed alerted Facebook to the security issue in the Instagram app, and Facebook responded to say that they are indeed working on adding HTTPS functionality. Unfortunately they have no timeline for the update. Ahmed recommends not using the Instagram Android app until this issue is patched, and that users should log in on the web instead... where you can't upload photos to the service. Boo, hiss.

Source: Mazin Ahmed via The Hacker News, Matthew Connor