Android Instapaper app vulnerable to man-in-the-middle cyberattacks

Researchers at Bitdefender say the vulnerability could be exploited to expose user credentials. [UPDATED]


UPDATE 13.17 BST: Updated with Instapaper comment.

The popular Android version of the Instapaper app is vulnerable to a serious security flaw, according to security researchers at Bitdefender.

On Wednesday, the Bitdefender security team claimed they have discovered a vulnerability in the Instapaper app which leaves users vulnerable to man-in-the-middle (MITM) attacks. If a user is signed into a Wi-Fi network monitored by the hackers, the communication channel used by the app could be intercepted using a fake certificate and a traffic-intercepting tool, leading to the exposure of user signup and login credentials.

Founded in 2008 and later acquired by Betaworks in 2013, Instapaper is a reading application available for iOS and Android. The mobile app is used to save and store articles for later perusal when users are offline or traveling. The application saves most web pages as a text-only format for mobile devices such as smartphones and tablets. In order to use the app's extended functions such as note-taking and "liking" articles, you must sign up and create an account.

According to Catalin Cosoi, Chief Security Strategist at Bitdefender, the vulnerability does not lie in the way the application fetches content, but due to the fact there is no certificate validation in place. Cosoi said:

"Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, they could use a self-signed certificate and start 'communicating' with the application."

The TrustManager checks whether the specified certificate chain can be validated and is therefore trusted for client/server authentication. However, if there is no implementation for TrustManager, anyone can impersonate the Instapaper server and use a MITM attack to steal user credentials.


Cosoi said:

"The vulnerability may have serious consequences, as while the attacker might seem to only gain access to your Instapaper account, many people use the same password for multiple accounts.

A cybercriminal could try and use your Instapaper password to access your social media or email accounts."

Speaking to ZDNet, an Instapaper spokesman said:

"The issue with certificate validation described in the Bitdefender post has been resolved as of Instapaper for Android 4.2.2, which went live yesterday. I'd also like to state that, while we take security very seriously at Instapaper, the severity of this vulnerability is low. Companies like Facebook didn't even enforce SSL by default until very recently, and until even more recently Instapaper's website did not use SSL by default."

Read on: Top picks