Instagram Private Profiles Are Open to MITM Attacks

mitm

Since nearly social networks inception, all such networks offered some sort of privacy enforcement for their users. The main idea was to make the system so that the user can control who can see what? This kind of privacy rules enforcement (under the users’ control themselves) was implemented in all social networks which a good example can be facebook and google+ . But when you restrict some sort of personal information (private posts, private images, etc) to what extend does the restriction apply? We want to show that in the case of ‘Instagram’ it is a superficial non-real enforcement for intervening infrastructures. That is a middle man between you and instagram can watch all those so-called private photos.

Here I selected one of my friends in instagram whose profile as the photo below shows, was private.

private-profile

As I’m following him, I could access his private media. Then I selected an image in his profile and opened it.

a1

a2

In the left picture above you can see the profile to which I have access because of the fact that I’m one of his followers and authorized to see his private media. And the right one is the picture that I opened in my Android device.

In order to see what the instagram app is doing behind the scene we should investigate the device’s network stream which in our case is an Android device. As the app is communicating to its remote servers I watch its data stream on my desktop computer. Let’s see the unencrypted part of the the instagram connection.

link

The access to media is done through HTTP protocol and the links which the Android app requested are shown above. I fetch the link to the private image which I opened in my mobile phone and apparently must not be publicly visible. We request the link and see what happens:

$ curl -i http://217.89.106.19/hphotos-ak-xat1/t51.2885-15/s750x750/sh0.08/e35/14240596_153608428420840_1518079589_n.jpg
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 207
Expires: Tue, 29 Nov 2016 23:06:56 GMT
Date: Tue, 29 Nov 2016 23:06:56 GMT
Connection: closeInvalid URLInvalid URLInvalid URL

Invalid URL

The requested URL “[no URL]”, is invalid.

Reference #9.f6a59d9.1480460816.8ee2e60

inv

You see that server does not deliver the requested image by using that URL. Let’s go back and watch the HTTP request/response pair more carefully:

req2

res

It doesn’t seem hard to work around this error message as the contents of the packets don’t show any specific access control mechanism. This is the request headers the client is sending to the remote server:

user-agent: Instagram 10.0.1 Android (23/6.0; 320dpi; 720*1184 .....
accept-language: en-US
accept-encoding: gzip, deflate
Host: igcdn-photos-a-a.akamaihd.net
x-fb-http-engine: Liger
Connection: keep-alive

Getting back to the error message if that is not intended to misguide the client, seems something related to addressing issues. The request header contains its special user-agent but the source of the error is something else. We requested the url with its host as the host name of the url. So the host in our request is an IP address. But the App’s request is using another host: igcdn-photos-a-a.akamaihd.net
So we tamper the HTTP request and fix the host header then resend the request:

pic

And my laptop’s browser shows the private picture. In the same way, every image I open in my phone I can see on my laptop’s desktop.

To perform the analysis I had to make my device’s internet to pass through my computer in order to access intagram but naturally all your data are going through your ISP and other middleware . This means that the ISPs can effortlessly watch all your private images/videos as you put them in instagram. Not only this. Those data can be modified to anything else before reaching to the user. Also it would be much easier to find the creator of a post when the app is communicating through plain connections.

Social medias though very fun to use, but raise some serious issues when it comes to security and privacy. This was an example of how simply a large portion of a user’s private data can be compromised without they even being aware about it. Some social networks like facebook (which also owns instagram) use encrypted connections to transfer users’ media, but as you saw in this post, this is not the case for instagram.

Contact: sirus.shahini@gmail.com
         twitter.com/_BitWar
         BTC Donation: 14VbVxML8M2MUnXF9kPAKWCEQka232pc5h
Iran University of Science and Technology
Department of Computer Engineering


2 thoughts on “Instagram Private Profiles Are Open to MITM Attacks

  1. IMHO, the only issue is that connections are not encrypted (a big issue though), but concerning the possibility to copy a “sharing link” for a private content is not a big deal since the one who can retrieve that link is already allowed to see the content and the shared content doesn’t allow commenting, i.e he could anyway download/screenshot/copy the content then resend it.

    1. The problem is that an intermediary party can intercept and see any media you see without you knowing about it. You should consider this scenario: You go to one of your friends house. You connect to his WiFi and start browsing your instagram photos and videos which are sent by possibly private profiles. Those people don’t want any body to be able to see their photos except his followers. But what happens now? Your friend whose house you’ve connected to Internet at, can see all the posts of your instagram feed, including those of your friends that has chosen their posts to be private. In this manner being private only means whether or not people should get a user’s permission to actually follow him/her on the app. But being private in reality means much more.

Leave a Reply

Your email address will not be published. Required fields are marked *