Instapaper is an Android app that allows users to save articles on their devices, so that they can later read them when they are on the go or are offline. More specifically, the app saves web pages as text only and then formats them appropriately for phones and tablets. The app boasts a fairly large amount of installations on devices: between 100,000 and 500,000 and has a nice rating of 4.2.
The Vulnerability
Anyone who wants to use the app has to create an account, and has to sign in. Instapaper implements a secure HTTPS connection, which is supposed to safeguard any information transferred between users and the app. However, Bitdefender has found that in version 4.1.4 of the app, there is no implementation of certificate validation. In layman’s terms, when you sign up, you send the data to the app’s server, but there is no telling whether it will reach the intended target. As Bitdefender pointed out in their blogpost, someone “could use a self-signed certificate and start ‘communicating’ with the application”. Although the data and your login credentials are encrypted, if hackers manage to intercept them, it will not be long before they decrypt them and receive access to your account.
To get more technical, Instapaper uses an SSLSocketFactory that is supposed to validate the HTTPS servers against a list of certificates, as well as making sure they are authentic by using a private key. This way your encrypted data is sent between servers. The TrustManager the app uses, however, does not have any implementation for certificate validation. This means that scammers can pretend to be legitimate Instapaper servers and get your data.
The Man-in-the-middle Attack
Let’s say that the Wi-Fi network you are using is compromised, i.e. it is being monitored by hackers. If you sign in to Instapaper while using such a connection, the hackers can intercept both your username and password. You may think that an Instapaper account is no big deal, because you only use it to read articles. However, most users often recycle usernames, as well as passwords. If you use the same username and password, on a different service, the hackers can gain access to that and steal more sensitive information.
The Fix
Instapaper released an update on Tuesday, version 4.2.2, which should fix the issue. If you do have the app on your phone or tablet, we recommend updating it right away.