Due to the security vulnerabilities of the Photo Sharing service Instagram, user profiles can be accessed via public WLAN networks. Steven Graham, a London developer, has found this and reported to the parent company, Facebook, with the hope to get a reward for it.
Facebook, however, Graham denied the "head money" (Bug Bounty). This is the reason why the developer posted the bug: "Bug Bounty is denied, the next step is now to build an automatic tool that allows massive user account debugging, quite serious vulnerability, Facebook
Allegedly, Steven Graham had known this vulnerability for years. Instagram uses HTTP for most of its data transfer. The user name and the associated account number are passed on unencrypted. Graham points out that the information is freely transferable between the user's iPhones and the service.
Although the credentials and passwords are exchanged over a secure connection, the accounts can still be cracked using the same cookie of other exchanged information in the same network. And without a new registration. "Once you have a cookie, each target can be authenticated, whether it's HTTPS or HTTP," says Graham.
Through the Cookie-Klau-tool "Firesheep", Facebook was initiated in 2010 to introduce HTTPS connections. The current vulnerability is very similar to Firesheep. Graham therefore wants to call his automated tool for spying out the user data, which he previously announced via Twitter, to instasheep.
At Hacker News, Instagram's co-founder Mike Krieger explained that the app was about to expand the HTTPS coverage. Allegedly, performance, stability and the use experience are not to suffer. Soon the project will be completed. Whether the Android app is affected by the vulnerability is unclear.
No comments:
Post a Comment