session is still valid after logout

[baptx]

When I tested IGdm-2.7.1-x86_64.AppImage on GNU/Linux (Lubuntu 19.04), I noticed a security issue: when you logout, the session is not invalidated on the server-side, it just closes the messages view. Instead, an API request should be sent to Instagram servers in order to invalidate the session on the server-side, to limit an attack in case of session hijacking.

Steps to reproduce the behavior:

1. Use a tool like mitmproxy to intercept the HTTPS requests done by IGdm
2. Configure a tool like proxychains to use the HTTP proxy (by default 127.0.0.1 on port 8080)
3. Start IGdm using a proxy with a command like proxychains ./IGdm-2.7.1-x86_64.AppImage
4. Export a cURL request that should only work while logged in, like reading messages (press the key "e", then select "curl", then select a filename like "curl.sh" to export the request)
5. Log out
6. Try to replay the cURL request

[duplicate-issues[bot]]

Hey @baptx,

We did a quick check and this issue looks very darn similar to

• #1081 - How to fix "socket hang up"
• #1080 - Render placeholder messages
• #1078 - Delete a chat

This could be a coincidence, but if any of these issues solves your problem then I did a good job :smile:

If not, the maintainers will get to this issue shortly.

Cheers, Your Friendly Neighborhood ProBot