Skip to main content

Is Instagram doing enough to fix its account hijacking bug?

Is Instagram doing enough to fix its account hijacking bug?

Share this story

If you're checking Instagram on public Wi-Fi, you may be exposing more than you realize. A security researcher named Mazin Ahmed has published a new report showing how easy it is to hijack an Instagram account, and taking the company to task for lax security. The technique relies on catching Instagram data in transit, either through an open Wi-Fi hotspot or a more sophisticated attack at the network level. If attackers can do that, Ahmed says, they'll be able to see unencrypted pictures, user IDs and account keys — potentially allowing outsiders to take over your account entirely.

The bug isn't new — researchers have reported it as early as 2012 — but so far, Instagram doesn't seem worried about it. When Ahmed reported his finding to Facebook, which owns the service, a company representative told him it was a known issue. "We accept the risk," the rep told Ahmed in an email, "and [we're] working towards a solution in the future." It's still unclear when a fix might be coming, and whether the company will be willing to accept the extra time and processor load that comes with encryption.

Reached for comment, an Instagram representative told The Verge, "we are doing the technical work that is necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance. We'll keep the Instagram community updated on our progress."

July 28th, 4:20pm EST: The article has been updated to include comment from Instagram.