Could Instagram Vulnerability Put Your Network at Risk?

I read somewhere that Instagram, the photo-sharing app, had a record number of posts on Thanksgiving Day. With the holiday season in full swing, Instagram use is just going to go up (my Facebook account has proven that already).

Besides the risk of pictures taken at office parties going viral, there is now a vulnerability in Instagram that could put data at risk — if the person is using an iPhone. According to the Sophos Naked Blog:

A security researcher on Friday published a proof-of-concept attack on Instagram for iOS that could allow malicious users to remotely hijack victims’ accounts. The issue stems from Instagram’s method of sending an unencrypted, plain text cookie to the Instagram server when users start the app and perform any action that requires authentication, such as liking or unliking pictures.

Now, the Cult of Mac blog put its own spin on the story, stating:

The bad news? Instagram has a vulnerability that could allow a hacker to take over your account. The good news? That hacker would have to be close enough that he could just walk over and punch you to do so. In order for a hacker to use this method to take control of your Instagram account, you’d need to be on the same local-area-network, which means that the chances are good that unless you’re on a public WiFi network with a malevolent hacker, you’re probably pretty safe.

But is “probably safe” enough if you are dealing with an employee who uses BYOD and connects to your network? As Jacob Faires, Solutionary SERT Security Researcher, told me in an email:

Applications are the biggest threat to security in even the most-well-controlled BYOD environment. As we have seen in the Instagram vulnerability reported at the end of last week affecting iOS, increased access to more applications means more BYOD real estate can be attacked and that there are more possible holes an attacker has at his disposal for exploitation. Organizations that want to reduce BYOD related risks should limit allowed applications, which will limit possible attack vectors to devices. Furthermore, BYOD comes at a larger understood risk than a tightly controlled corporate owned device environment. A well secured network and encrypted traffic would not allow this specific attack to occur. Strong perimeter security and solid device policy are the building blocks of a safe BYOD environment.

The Instagram problem is also the latest reminder that if you are still operating under the assumption that your iPhone is safe, Nick Cavalancia, VP at SpectorSoft, puts that idea to rest. He told me:

Although typically thought of as the most secure BYOD smartphone, this discovery shows that iPhones filled with consumerized applications can turn any user-owned device into prey for hackers. The bottom line is that if your organization allows BYOD, any corporate information the user is accessing is at risk. BYOD may have its place, but the only way to provide security for high-risk users and sensitive data in mobile environments is to issue corporate devices that can be centrally controlled and managed.