CHINA TOPIX

12/22/2024 07:28:09 pm

Make CT Your Homepage

How Anyone Can Hack Your Instagram Account Via Public Wi-Fi

Photosharing slash social media application Instagram will now transition into HTTPS encryption after the discovery of a dangerous zero-day vulnerability in their software.

This is a security lapse developers are not aware of that can lead to hackers hijacking any user's account.

London-based security expert Stevie Graham discovered hackers can access any targeted account as long as they're connected on the same public Wi-Fi network. 

Like Us on Facebook

Instagram hasn't yet applied HTTPS encryption to its websites.

This omission poses a serious risk to mobile devices, especially those that use the app via their Apple devices in public Wi-Fi hotspots.

Graham created a tool called Instasheep capable of quickly hacking numerous Instagram accounts. This tool is inspired by a Firefox "hacking" extension called Firesheep.

Instasheep works by targeting Instagram's API or application programming interface that transmits an unencrypted request in a form of a cookie or data file where it reveals if the user is still logged in.

When a hacker is connected to a public Wi-Fi hotspot that has no encryption or still uses an outdated one, he can collect the network traffic and exploit a man-in-the-middle attack that "eavesdrops" on conversations or impersonates the targeted account's user. 

Although Instagram Direct allows users to share photos and videos in private sessions, it is fully encrypted with HTTPS.

Instagram co-founder Mike Krieger reassures Instagram users that the company plans to upgrade the whole application to HTTPS soon.

Krieger confirms this security update by saying they have been steadily increasing their HTTPS coverage over at Instagram Direct.

They are actively rolling out these changes for the remainder of the app such as the news feed and other browsing features. 

As for Graham's discovery of this security lapse in the app, this configuration problem compelled many Internet companies to encrypt their websites into full HTTPS.

A fully encrypted website shows "https://" in the URL and a small padlock icon appears beside it.

Real Time Analytics