Instagram Planning to Complete HTTPS Rollout 'Soon’

Instagram co-founder Mike Krieger has responded to the publication of a potential vulnerability on the app’s iOS version by noting that the company plans to finish upgrading to HTTPS for the entire service “soon.”

Developer Stevie Graham went public with the vulnerability after Facebook failed to fix the issue. According to a Hacker News comment, Graham discovered the issue years ago and was shocked when he realized it hadn’t been fixed.

The issue exposes users of the iOS app to attacks via man-in-the-middle because Instagram sends some unencrypted data with the session cookie. A malicious actor could then use those cookies to spoof the account when navigating to other profiles.

Here’s Krieger’s response to the issue (via the same Hacker News thread):

We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.

Meanwhile, an Instagram spokesperson provided the following statement:

Webinar: Unicorn DNA: The Blueprint for Scaling Success

What does it take to build a unicorn? Top executives of unicorn companies reveal the mindset, strategies, and innovative thinking that propelled their companies to the top.

Watch Back Now

We are doing the technical work that is necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance. We’ll keep the Instagram community updated on our progress.

Graham, for his part, has threatened to release an “Instasheep” tool automating the process in order to force Facebook’s hand:

I hope @instagram gets around to patching the hole before I get around to releasing this tool… pic.twitter.com/wWCCoA3WS5

— Stevie Graham (@stevegraham) July 28, 2014

Last year, Facebook announced that it had switched to HTTPS browsing by default. Today’s Instagram vulnerability isn’t hugely critical, but the company ought to speed up its efforts to follow in its parent’s footsteps.

Image credit: Getty Images

Story by Josh Ong

Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him a (show all) Josh Ong is the US Editor at The Next Web. He previously worked as TNW's China Editor and LA Reporter. Follow him on Twitter or email him at josh@thenextweb.com.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Instagram planning to complete HTTPS rollout ‘soon,’ after developer exposes iOS flaw

Get the TNW newsletter

Also tagged with

Google Street View now lets you ‘time travel’ on your phone. Here’s how

With iOS 16, Apple’s banishing CAPTCHAs to the underworld

Discover TNW All Access

Meta begrudgingly launches €9.99 ad-free subscription for Facebook and Instagram

AI stalks influencers in the wild to expose horrors of high-tech surveillance