Instagram, Vine, and other apps pass data around without encryption

A team of data forensics experts has revealed that unsecured data is constantly leaking from some of the most popular mobile apps in the world.

Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) are detailing security vulnerabilities in the apps—including Instagram, Vine, Words With Friends, Grindr, Kik, and TextMe—in a series of videos.

“We have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue,” the researchers say in their announcement, which also estimates that the issues affect a combined audience of 968 million people.

Problems included unencrypted chat records, unsecured servers used to hold videos, and media, location data, and text being sent “in the clear” with no encryption.

According to Cnet, “The researchers found the unencrypted data by monitoring the devices’ network traffic, seeing words they’d type into the apps appear in plaintext over the network, and by examining files captured with in device backup software.”

Ibrahim Baggili, UNHcFREG’s director and Assistant Professor of Computer Science at the university’s Tagliatela College of Engineering, told the Daily Dot that the seemingly obscure data leaks were easy fodder for intruders using simple monitoring software.

“It’s a very practical problem,” Baggili said. “If you are sitting and using a hotspot in a coffee shop, the traffic can very easily be intercepted.”

The three programs that Baggili’s team used—Wireshark, NetworkMiner, and NetWitness Investigator—are all free. (The full version of NetworkMiner costs $700, but there is a lite version with basic functionality.)

So far, the UNH team has only tested their method with Android phones. In the video below, they demonstrate how a Windows application called NetworkMiner can intercept photos sent from and received by the Instagram Android app.

“We recorded network traffic in Wireshark to see if files remained on the server,” one of the researchers says in the video. “For Instagram, we found an image that we sent weeks ago, still on their server unencrypted and without authentication.”

This doesn’t necessarily mean your Android is leaking this data, and it’s a software-dependent hack, but in the wake of Celebgate, it’s certainly a sensitive issues.

H/T Cnet | Photo via Jason Howie/Flickr (CC BY 2.0)

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.