Instapaper Android app vulnerable to data theft by hackers

Bitdefender warns that hackers can steal log-in credentials via 'man-in-the-middle' attacks

The Instapaper mobile application for Android is vulnerable to hackers and it's possible that cyber criminals have already stolen usernames and passwords of those using the tool, security researchers at Bitdefender have warned.

The discovery of the vulnerability comes after Moonpig's Android application was previously found to be exposing the personal data of users.

Instapaper is described as ‘a simple tool for saving web pages to read later on your iPhone, iPad, Android, computer, or Kindle.'

The application has been downloaded hundreds of thousands of times on Android alone but now researchers at Bitdefender have warned that Instapaper is vulnerable to ‘man-in-the middle' attacks which can expose users' sign-in credentials when they login to their accounts.

Users who sign into Instapaper on a wireless network which is being monitored by hackers could have their usernames and passwords intercepted via the use of a fake certificate, or a traffic-intercepting tool.

Essentially, those who also use their Instapaper for Android login email address and password for other services on the web such as their email account or social media could be giving hackers access to those accounts.

"The vulnerability may have serious consequences, as while the attacker might seem to only gain access to your Instapaper account, many people use the same password for multiple accounts," warned Catalin Cosoi, chief security strategist at Bitdefender.

"A cyber criminal could try and use your Instapaper password to access your social media or email accounts," he continued, adding "Studies have shown that over 50 per cent of users reuse the same password, so the chances are that more than one account could be vulnerable if your Instapaper credentials have been stolen."

According to Cosoi, the security vulnerability comes from the application using a TrustMananger but without the requirement for certificate verification.

"The vulnerability lies not in the way the application fetches content but in the way it implements, or in this case, doesn't implement, certificate validation," he said.

"Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, they could use a self-signed certificate and start ‘communicating' with the application," Cosoi concluded.

Recently released Snowden documents revealed that GHCQ and the NSA targeted a number of anti-virus software firms - including Bitdefender - in an effort see how they might be able to crack or circumvent their security.