This article was published on July 29, 2014

Instagram planning to complete HTTPS rollout ‘soon,’ after developer exposes iOS flaw


Instagram planning to complete HTTPS rollout ‘soon,’ after developer exposes iOS flaw

Instagram co-founder Mike Krieger has responded to the publication of a potential vulnerability on the app’s iOS version by noting that the company plans to finish upgrading to HTTPS for the entire service “soon.”

Developer Stevie Graham went public with the vulnerability after Facebook failed to fix the issue. According to a Hacker News comment, Graham discovered the issue years ago and was shocked when he realized it hadn’t been fixed.

The issue exposes users of the iOS app to attacks via man-in-the-middle because Instagram sends some unencrypted data with the session cookie. A malicious actor could then use those cookies to spoof the account when navigating to other profiles.

Here’s Krieger’s response to the issue (via the same Hacker News thread):

We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Meanwhile, an Instagram spokesperson provided the following statement:

We are doing the technical work that is necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance. We’ll keep the Instagram community updated on our progress.

Graham, for his part, has threatened to release an “Instasheep” tool automating the process in order to force Facebook’s hand:

Last year, Facebook announced that it had switched to HTTPS browsing by default. Today’s Instagram vulnerability isn’t hugely critical, but the company ought to speed up its efforts to follow in its parent’s footsteps.

Image credit: Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with