Session Hijacking in Instagram Mobile App via MITM Attack [0-DAY]

Session Hijacking in Instagram Mobile App via MITM Attack [0-DAY]

- 3 mins

In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim’s session cookies, the victim’s username and ID.

I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not ensure that the data is secured and goes through HTTPS.

I took the session cookies and used it in my computer, and simply “the victim’s session has been hijacked”.

I have reported this issue to Facebook, and they responded with the following:

The security member of Facebook stated: “Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”. If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.



Until a patch is released (which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram mobile app. Instead, use the normal website, it is generally secured and encrypted.

Final Thoughts:

It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, this issue might be exploited in the public by surveillance agencies and cybercriminals.

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora