Reverse-engineering Instagram to access the private API

Is it still the case that the app only uses HTTPS to create a session and plain HTTP for everything else? I remember that was the case about a year ago after using mitmproxy to sniff traffic, although I don't recall HMAC being used to sign requests then. Anyway, I wondered then why nobody had used firesheep to devastating effect, e.g. a bot sitting on an open wifi and posting NSFW images to any account on the network.

Note that Instagram doesn&#x27;t encrypt requests to their private API, they&#x27;re only signing them. In fact the parameter is called &#x27;signed_body&#x27;, not &#x27;encrypted_body&#x27;.<p>Anyway interesting post.

Isn&#x27;t the fact that they are using a simple HMAC-SHA256 hash also a root of the problem?<p>If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn&#x27;t it be way harder for a hacker to actually understand what went into signing the request?

Interesting write up. Seems rather simple, really. Presumably Instagram could change their private key and rollout a new client version on each platform, breaking all third party apps using the current key though. Although I guess it&#x27;d be just as easy to get it again.