

Instagram vulnerability on iPhone allows for account takeover - derpenxyne
http://www.computerworld.com/s/article/9234236/Instagram_vulnerability_on_iPhone_allows_for_account_takeover

======
kmf
Trying to recreate this using Paros as a mitmproxy on Mac, looks like
Instagram has blocked any kind of logging in/profile editing (the two
vulnerabilities mentioned in the article) while on a proxy. No dice. Quick
response by their team though.

Edit: That's not to say a MITM couldn't happen without the vulnerable user
being on a proxy. Just trying to recreate it isn't working.

~~~
slig
How can they tell you're using a mitmproxy? Conversely, why mitmproxy ins't
completely transparent?

~~~
notaddicted
In the case of the Instagram iPhone app, since Instagram controls both the
application and the server they can validate their own certificates in the
iPhone app before continuing with the https request.

------
stusmall
Has anyone tested this for the Android version?

------
alpb
Instagram uses POST method do actually issue a "delete" photo request on their
API. Just wanted to say this is a bad REST API practice.

[http://reventlov.com/advisories/instagram-plaintext-media-
di...](http://reventlov.com/advisories/instagram-plaintext-media-disclosure-
issue)

~~~
travisp
This surely has nothing to do with the security problem, even if it's not
exactly REST. It's not even that unusual for browser focused APIs: For
example, many older browsers don't support sending the DELETE method, so Ruby
on Rails applications often send Ajax DELETE requests as a POST, with the
"_method" parameter set to "delete" (rather than a different URL as in the
case of Instagram).

That's probably not the reason in Instagram's case, but if you look at a lot
of public REST APIs you are going to find many things that aren't exactly
"REST".

