Instagram iOS Users Vulnerable to ARP Spoofing

(Ping! Zine Web Tech Magazine) – A recently discovered security vulnerability by a security specialist could have a devastating effect on users of popular photo sharing app Instagram.

The problem reportedly occurs on iPhone devices and was discovered in early November by Carlos Reventlov.

“Instagram 3.1.2 for iPhone (released on Oct 23, 2012) is vulnerable to a session riding attack that could lead an attacker on the same network to gain access to the victim’s account,” Reventlov states via his blog at

According to the security specialist, it’s possible for an attacker to trick port 80 traffic to be rerouted through an unauthorized system, occurring when two users operate on the same network. The attack is known as “ARP spoofing.”

“When the victim starts the Instagram app and performs any action that requires authentication, such as liking or unliking pictures, a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to login into the user’s account via web and perform a variety of actions,” the blog post goes onto say.

The security expert has suggested Instagram fix the vulnerability by securing its cookies.

Security firm Secuina, meanwhile, responded by releasing its own security advisory. However, according to a report from PC World, Instagram had yet the address the problem as of last Tuesday.