Android Instapaper users at risk of man-in-the-middle attacks

InstapaperInstapaper is a great little smartphone app, useful for saving any interesting articles you stumble across while browsing the web for perusing later at your convenience in an easy-to-read format.

But, say security researchers at Bitdefender, the Android version of Instapaper has a vulnerability that could allow hackers to snoop upon your account's username and password.

According to a Bitdefender blog post, Instapaper is vulnerable to a "man-in-middle" attack if you try to log into your account via a WiFi network that is being monitored by malicious hackers.

Password exposed

The problem is that although Instapaper handles the entire communication via HTTPS, it performs no validation of the certificate for the server it is communicating with. Which means that an attacker could use their own self-signed certificate and start "communicating" with the victim's app.

Although you may not (or perhaps you do) care that much about an unauthorised party seeing which articles you are storing in your Instapaper account, the problem gets even more serious when you consider that many users are likely to be using the same password for many other other online accounts.

Bitdefender says it informed the developers of the Instapaper app of the problem, who have tweeted back that it is fixed in the latest version available from the Google Play store.

For a long time I have felt that the biggest security problem facing smartphone users are the apps that they run on their devices. Too many apps, amongst them some of the world's most popular apps, are doing a poor job of securing their users' information.

Further reading:

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. Bob

    June 24, 2015 at 2:04 pm #

    Graham, there's a typo in your article: "HTTTPS" (too many t's).

    I wish more mobile apps (and browsers) would implement certificate pinning; it would make the internet a safer place and reduce very many MiTM attacks.

Leave a Reply