Similar to Tinder Instagram Connect

Question

So I noticed that apps like Tinder can show Instagram connect of lets say, User A on everyone else's phones even without requiring other users to actually sign into instagram.

For example: User-A connects instagram and gets access token. Users-B, C, D... can see A's public & private pictures without even logging into instagram.

Is there a way to view another user's instagram without requiring access token - even private pictures by just using CLIENT_ID?

Answer 1

Let's not make confusion. Tinder user can opt-in for sharing Instagram photos. Tinder has no worldwide access to Instagram photos. I will answer you from the security perspective, as I have never tried setting up a Tinder account with Instagram connection to test the scenario for you. Actually, from my understanding of Instagram APIs it could be impossible to get user's private pictures. But I could be wrong, so let me continue my discussion.

Access token is embedded in Tinder app code, you may find it or not if you decompile the code, according on the level of obfuscation, and almost certainly if you use software such as mitmproxy. I won't discuss such a practice here.

So Tinder client is granted a token to access user's pictures.

User opts in on Tinder/Instagram to access his private photos. A single access token is valid for pictures of all users that opted in to Instagram.If you steal Tinder's token you can access any Tinder-Instagram user's private photos. That is not bad. User has chosen to share private photos to the world. But if an Instagram user is not a Tinder user be sure that you won't get anything

Please mind that the token is valid for Tinder application, and is not user A's token. This is forbidden by security practices.

By associating your Tinder account with Instagram you grant Tinder's already-issued token to access your photos on behalf of you.

Summarizing:

• Tinder client - Actor
• Instagram - Resource server
• User A's photos - Resource
• User B (on Tinder, not on Instagram) - not an actor in the workflow
• Token issued to Tinder: access to any (public or private??????) photos of users who have opted in to share Instagram photos on Tinder

Note: Tinder client may or may not use an Instagram-issued token. From a general security point-of-view, there are two implementation scenarios:

1. Tinder client contacts Instagram server with a token that is issued to Tinder application and encoded in all clients
   • PRO: bandwidth is charged to user only
   • CON: exposing the token may grant one to access any Tinder-Instagram user photos without passing by Tinder
2. Tinder app requests Tinder server to fetch photos from Instagram. Tinder client only authenticates with Tinder server
   • PRO: more secure design. Tinder-to-Instagram token never exposed. If a user leaves Tinder he can't access Instagram photos of other Tinder users
   • CON: Tinder server will be charged for the bandwidth needed to retrieve and distribute photos. This exposes Tinder to a potential violation of Instagram API ToS if they start caching the photos

Answer 2

The previous answer is way too confusing... so let's handle it in a easy way, according to your question.

Let's start from understanding, what is access_token, in their API, in API requests alike:

api.instagram.com/v1/users/self/media/recent/?access_token=%@

Working through API, receiving this access_token still requires granting of access, and Authentication (see the manual on Receiving an access_token). As you can read there, all the possible options still require authenticated access.

Even though our access tokens do not specify an expiration time, your app should handle the case that either the user revokes access, or Instagram expires the token after some period of time. If the token is no longer valid, API responses will contain an “error_type=OAuthAccessTokenError”. In this case you will need to re-authenticate the user to obtain a new valid token. In other words: do not assume your access_token is valid forever.

This is standard authentication process in programming, with the access tokens, session identifiers, etc.

The world has been living with OAuth 2.0 Authorization Protocol for a long time, you are not the last guy who's concerned about it. If you are sleeping fine knowing about theoretical Session hijacking, then you shouldn't worry that much about potential security issues related to usage of APIs by access tokens.

It's secure enough. Aha, and another "small thing", I forgotten to mention: all requests to the Instagram API must be made over SSL (https:// not http://), which adds even more confidence.

To answer explicitly your question:

"is there a way to view another user's instagram without access token - even private pictures by just using CLIENT_ID?"

No, there's no possibility. Security token is the thing, which requires granting of access, and authentication. If it would allow this kind of access - this would be counted as security vulnerability. This is the basics of OAuth mechanism. If you need more understanding, you may read here, in a simple language, how OAuth is an authentication protocol works.