Thwarted dev sets Instasheep to graze on Facebook accounts
Zuck-land tried to fix crumbling cookie with HTTPS but developer won't bite
London developer Stevie Graham has built an Instagram stealer dubbed Instasheep that can hijack accounts over public networks.
Graham (@stevegraham) published Instasheep - a play on the 2010 Facebook stealer Firesheep - after claiming Facebook refused to pay a bug bounty for his reported flaws affecting the Instagram iOS app.
Facebook was reportedly aware of the bug and was working on a fix by deploying HTTPS across its portfolio.
The dev found a session cookie passed back to the application could be stolen by attackers residing on the victim's network that would provide access to Instagram accounts.
Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts. Pretty serious vuln, FB. please fix.— Stevie Graham (@stevegraham) July 27, 2014
"I think this attack is extremely severe because it allows full session hijack and is easily automated," Graham wrote in the Github post containing the tool.
"I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam."
He wrote on YCombinator that Facebook's security team said the flaw was previously reported and that Instagram was deploying HTTPS "for all endpoints". Menlo Park reportedly noted that the need to attack via man-in-the-middle on public networks made the attack difficult for most punters, a claim which he rejected.
"I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart."
Facebook acknowledged the flaw adding it was working on deploying HTTPS.
Instagram was deploying HTTPS across its network including Instagram Direct launched late last year.
Latency-sensitive read endpoints such as the Instagram main feed would be slapped with HTTPS as performance issues were addressed.
Speediness was one of the bug bears with HTTPS deployments. In 2012, hipster bazaar Etsy detailed the problems it encountered as it deployed HTTPS, HTTP Strict Transport Security and two factor authentication, including a "thrilling explosion" of errors. ®