It’s no secret that most people are remarkably lax when it comes to online security. They’ll reuse the same password everywhere, and will connect to open Wi-Fi hotspots without a second thought as to who might be sniffing their traffic (Firesheep, anyone?). Which makes it all the more frustrating when startups launch their products without industry-standard security features that help keep consumers a little safer.
The most recent offender is Instagram, the hot photo sharing app that managed to get hundreds of thousands of users in a matter of weeks. Unfortunately the app sends its passwords in plaintext, and it’s doubly bad because it also asks for your Tumblr and Foursquare credentials, which are also sent in the clear.
Now, Instagram is hardly the first startup to have this flaw. We’ve seen identical issues from the likes of Foursquare and Gowalla, and there are surely countless less well-known iPhone applications that commit the same offence. On the other hand, this problem was making headlines only three months ago, and yet again we have another application with hundreds of thousands of users that made security a secondary priority. This sort of thing really needs to stop, especially as hacking tools like Firesheep make stealing this kind of data easier than ever.
Instagram says that the issue has already been resolved in its next release, which sends password information via SSL for both your Instagram account and any third-party services (the company expects Apple to approve it in the next day or so). We considered holding this post until after that update was approved so as to minimize any possible abuse of the exploit, but this flaw has actually been listed on the company’s GetSatisfaction page since November 4, and was one of the top stories on Hacker News over the weekend. In other words, the ‘bad guys’ already know about it, but consumers may not.
Let’s hope other startups stop making the same mistake. No, Instagram, and even Foursquare, aren’t sharing information that’s especially sensitive (after all, many people broadcast their posts to the public). But when so many people reuse their passwords everywhere, that isn’t a good enough reason to put security second.