Instagram hole removed due to blackmail

For several years, there was a bug in the code of the iOS application for Instagram that allowed attackers to hack accounts of this photo social network if the user connected to the service via an open Wi-Fi network.

For the first time, the existence of the vulnerability was reported by Stevie Graham, a developer from Britain. He tweeted the bug on July 27.

The programmer found out that Instagram for iOS partially uses an insecure HTTP connection. When a user opens an epp photo network on his iPhone and connects to it via public Wi-Fi, an attacker connected to the same network can find the smartphone and steal the account that is linked to the application.

Graham claims that he has known about the bug for several years. He even talked about it in the news section of Y Combinator. The developer said that he himself did not use the found bug, but remembered about it only recently and decided to check if Instagram has eliminated the vulnerability in its EPP. As a result, Graham found out that the vulnerability was still not fixed.

The programmer sent a report on the vulnerability to Facebook and Instagram, hoping to receive a monetary reward that Mark Zuckerberg’s social network pays for reporting bugs. Both companies, however, were unwilling to pay Graham money.

Facebook is the social network that owns Instagram, and the network responded that it had previously received reports of this vulnerability, and this vulnerability will soon be fixed.
The programmer was outraged by such a development of events, as well as by the carelessness of the specialists serving various services, which until that moment had not eliminated such a serious bug over the years. Stevie Graham promised that he would put on the network a specially created program Instasheep, which allows you to hack accounts through the vulnerability he found.

Threats worked: Mike Krieger, the co-founder of Instagram, appeared in the comments on Stevie’s post on Y Combinator. He confirmed that the company really delayed fixing the bug and transferring the application to the HTTPS protocol. Krieger promised that the bug will be fixed soon, and he will report it.

Krieger also stressed that new Instagram features like Instagram Direct launched last year work through a secure HTTPS protocol, and therefore cannot be hacked through the bug described by Graham.

July 29 iOS – Instagram version has been updated. In the description of the updates, it is indicated that minor bugs were fixed in the EPP, but which ones are not specified.