Instagram co-founder Mike Krieger has responded to the publication of a potential vulnerability on the app’s iOS version by noting that the company plans to finish upgrading to HTTPS for the entire service “soon.”
Developer Stevie Graham went public with the vulnerability after Facebook failed to fix the issue. According to a Hacker News comment, Graham discovered the issue years ago and was shocked when he realized it hadn’t been fixed.
The issue exposes users of the iOS app to attacks via man-in-the-middle because Instagram sends some unencrypted data with the session cookie. A malicious actor could then use those cookies to spoof the account when navigating to other profiles.
Here’s Krieger’s response to the issue (via the same Hacker News thread):
We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.
Meanwhile, an Instagram spokesperson provided the following statement:
We are doing the technical work that is necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance. We’ll keep the Instagram community updated on our progress.
Graham, for his part, has threatened to release an “Instasheep” tool automating the process in order to force Facebook’s hand:
— Stevie Graham (@stevegraham) July 28, 2014
Last year, Facebook announced that it had switched to HTTPS browsing by default. Today’s Instagram vulnerability isn’t hugely critical, but the company ought to speed up its efforts to follow in its parent’s footsteps.
Image credit: Getty Images