Instagram's SSL certificate has expired, showing the urine-filled-swimming-goggles-vision site's supposed commitment to security seems to have been a bit of a filter-job.
Instagram first rolled out HTTPS in 2014 when a vulnerablity was reported by InfoSec specialist Mazin Ahmed.
Ahmed used Wireshark to captured unencrypted data that goes through HTTP, including the pictures that the victims were browsing, their session cookies and their username and ID.
Co-founder Mike Krieger took to Y-Combinator's Hacker News forum to thank users for raising the issue.
We've been steadily increasing our HTTPS coverage--Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS.
For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we're actively working on rolling out HTTPS while making sure we don't regress on performance, stability, and user experience. This is a project we're hoping to complete soon, and we'll share our experiences in our eng blog so other companies can learn from it as well.
Instagram's attempts to implement a means of securing its users' privacy will not be strengthened by an expired SSL certificate, which may create room for malicious actors to attack its userbase.
Angry users took to Twitter to vent their spleens:
ZuckerBorg's Facebook assimilated Instagram for $715m in 2012, and it was Facebook's security who responded to Mazen when he first notified them of the issue last yea with the following:
"Facebook has discussed this issue at length and plans on moving everything on the Instgram site to HTTPS. However there is no definite date for the change."
That statement continued: "At the moment Facebook accepts the risk of parts of Instagram communicate over HTTP and not HTTPS. We consider this a known issue are working toward a solution in the future."
The Register has contacted both Facebook and Instagram for an explanation. We will update this story if we hear back from either site. ®