Instagram may have come to Android earlier this year, but the popular photo app got its start and made a name for itself on iOS devices. Unfortunately for those iOS users, though, it turns out the app has a security hole that has the potential to let an attacker take some control over your Instagram account, including the ability to delete your pics.
The problem has to do with how the app authenticates itself with Instagram’s servers. While some actions require an encrypted connection, rendering them secure, other times the app uses an unencrypted cookie to confirm your account info with the company’s servers. That means that if you’re on an unsecured or untrusted connection, like an open WiFi access point, whoever controls that AP has the capability to sniff your traffic and grab that cookie.
Using that captured cookie, an attacker can connect to the Instagram website to access the victim’s account. By changing the email affiliated with the profile, an attacker can essentially lock users out of their own accounts.
The researcher who discovered this vulnerability contacted Instagram last month, but the company has yet to release an update to close the hole. There’s no word if a similar attack is possible for Android.