OP here. I discovered this years ago. I suspect it has been extant for as long as Instagram itself. I actually posted a comment about this 216 days ago! (https://news.ycombinator.com/item?id=6959472). When I checked again on Saturday, I couldn't believe my eyes when it I saw it still hadn't been fixed. I reported it to FB immediately, to which they responded it's been reported "some" times and the Instagram team were working on moving all endpoints to HTTPS and they closed the ticket without further discussion. I was incensed that such a fundamental and critical flaw was allowed to exist for so long. Because of this I decided public disclosure was justified.
Mike (co-founder) from Instagram here. Thank you for raising the issue; it's an important one.
We've been steadily increasing our HTTPS coverage--Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we're actively working on rolling out HTTPS while making sure we don't regress on performance, stability, and user experience. This is a project we're hoping to complete soon, and we'll share our experiences in our eng blog so other companies can learn from it as well.
This issue has been reported some already so unfortunately cannot reward you, instagram is working to get https for all endpoints. Its a pretty high barrier to exploitation to already sniffing someones traffic however.
Thanks,
name removed
Security
Facebook"
And here I am sitting in the Apple Store around the corner from my apartment watching various cookies whizz past my screen.
I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart. The obvious precedent for this is Firesheep (now sadly not functional) from back in 2010.
Thanks, I referenced Firesheep in the grandparent. FS is currently very broken. I still couldn't get it to work after downloading the source and making some changes. The OS X API used by FS has long been deprecated and simply doesn't work on Mavericks. If there is enough interest I will write "Instasheep" this evening.
Hi, I'm the author of Firesheep. The code in git master should work with recent versions of Firefox, but there is an issue when running on recent versions of OS X related to elevating privileges. If you manually setuid the firesheep-backend binary, it might work. Let me know if you're interested in helping to fix this! Writing a handler for this Instagram vulnerability should be trivial.
