Since nearly social networks inception, all such networks offered some sort of privacy enforcement for their users. The main idea was to make the system so that the user can control who can see what? This kind of privacy rules enforcement (under the users’ control themselves) was implemented in all social networks which a good example can be facebook and google+ . But when you restrict some sort of personal information (private posts, private images, etc) to what extend does the restriction apply? We want to show that in the case of ‘Instagram’ it is a superficial non-real enforcement for intervening infrastructures. That is a middle man between you and instagram can watch all those so-called private photos.
Here I selected one of my friends in instagram whose profile as the photo below shows, was private.
As I’m following him, I could access his private media. Then I selected an image in his profile and opened it.
In the left picture above you can see the profile to which I have access because of the fact that I’m one of his followers and authorized to see his private media. And the right one is the picture that I opened in my Android device.
In order to see what the instagram app is doing behind the scene we should investigate the device’s network stream which in our case is an Android device. As the app is communicating to its remote servers I watch its data stream on my desktop computer. Let’s see the unencrypted part of the the instagram connection.
The access to media is done through HTTP protocol and the links which the Android app requested are shown above. I fetch the link to the private image which I opened in my mobile phone and apparently must not be publicly visible. We request the link and see what happens:
$ curl -i http://188.8.131.52/hphotos-ak-xat1/t51.2885-15/s750x750/sh0.08/e35/14240596_153608428420840_1518079589_n.jpg HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 207 Expires: Tue, 29 Nov 2016 23:06:56 GMT Date: Tue, 29 Nov 2016 23:06:56 GMT Connection: closeInvalid URLInvalid URLInvalid URL
The requested URL “[no URL]”, is invalid.
You see that server does not deliver the requested image by using that URL. Let’s go back and watch the HTTP request/response pair more carefully:
It doesn’t seem hard to work around this error message as the contents of the packets don’t show any specific access control mechanism. This is the request headers the client is sending to the remote server:
user-agent: Instagram 10.0.1 Android (23/6.0; 320dpi; 720*1184 ..... accept-language: en-US accept-encoding: gzip, deflate Host: igcdn-photos-a-a.akamaihd.net x-fb-http-engine: Liger Connection: keep-alive
Getting back to the error message if that is not intended to misguide the client, seems something related to addressing issues. The request header contains its special user-agent but the source of the error is something else. We requested the url with its host as the host name of the url. So the host in our request is an IP address. But the App’s request is using another host: igcdn-photos-a-a.akamaihd.net
So we tamper the HTTP request and fix the host header then resend the request:
And my laptop’s browser shows the private picture. In the same way, every image I open in my phone I can see on my laptop’s desktop.
To perform the analysis I had to make my device’s internet to pass through my computer in order to access intagram but naturally all your data are going through your ISP and other middleware . This means that the ISPs can effortlessly watch all your private images/videos as you put them in instagram. Not only this. Those data can be modified to anything else before reaching to the user. Also it would be much easier to find the creator of a post when the app is communicating through plain connections.
Social medias though very fun to use, but raise some serious issues when it comes to security and privacy. This was an example of how simply a large portion of a user’s private data can be compromised without they even being aware about it. Some social networks like facebook (which also owns instagram) use encrypted connections to transfer users’ media, but as you saw in this post, this is not the case for instagram.
Contact: firstname.lastname@example.org twitter.com/_BitWar BTC Donation: 14VbVxML8M2MUnXF9kPAKWCEQka232pc5h Iran University of Science and Technology Department of Computer Engineering