Go to the profile of Bahman
Bahman
Software Engineer. Microsoft & AT&T Bug Bounty Hall of Fame.
mitmproxy interface

Man-in-the-middle Attack to Download Instagram Stories

A few days ago Instagram released Stories, a complete copy of a Snapchat feature called, you guessed it, Stories. They even ripped off the name. It was done a little better though, so I’ll give them that.

I was watching the Instagram Story of @mercedesbenz in which a few photographers were going around Europe in G-Wagons taking photos. I really liked one of the videos and wanted to use it as a live wallpaper on my iPhone. That’s easy, I can just log into the Instagram web interface, inspect the page source, look for the <video> tag and download the src attribute, what I always do when I want to download something off of Instagram. But uh-oh Houston (or should I say Menlo Park?) we have a problem. Stories aren’t available on the web interface, at least for now.

This is where I had to think of creative ways to get what I wanted. 
A few weeks ago I used mitmproxy for PokemonGo and that seemed like the best tool for the problem. Mitmproxy is a man-in-the-middle proxy that lets you monitor your network traffic to see all the data the Instagram app is sending and receiving from the Instagram servers. It might also increase your fedora size by 7000%, according to defaultnamehere.

Before we get started you need to download mitmproxy. You can find all the instructions here. Once that’s all done we can start inspecting the data. But you’re probably asking “yo, how can we do that if all the data is encrypted gibberish??” In order to counter this issue we need to trust the mitmproxy CA on our client (iPhone) which will allow us to decrypt all the SSL-protected traffic.

Let’s start, I am running OS X 10.11.4 but it shouldn’t be much different on other platforms.

  1. First, we need the internal IP Address of the machine mitmproxy will be running on. We can get that by doing so in terminal. It will most likely start with 192.
ifconfig | grep inet

2. Now we need to fire up mitmproxy. Run ‘mitmproxy’ in your terminal and you should see a black screen.

3. Our computer is now ready as a proxy server. Now we have to configure our phone to send and receive all its network data through the computer before going to its final destination. To do that go to

Settings -> Wi-Fi -> Click on the 'i' next to your wifi network -> HTTP Proxy -> Manual -> Enter the same IP you found in step 1 for Server and 8080 for Port

This tells your phone to send all network traffic to mitmproxy which is listening on port 8080 at the IP address 192.168.0.103 on the local network.

4. We need to download and install the mitmproxy CA cert. Go to mitm.it on your iPhone and install the appropriate certificate.

5. We are ready to start inspecting: Open up Instagram on your phone and you should be able to see data flowing through mitmproxy like so.

6. We only want to see requests related to photos and videos so hit ‘l’ on your keyboard, type in “(mp4) | (jpg)” -both without quotes- and press enter.

7. On your phone, click on the story which you want to download, let it load and watch it.

mercedesbenz story

8. You’ll notice that as you are watching the story, the mitmproxy feed is filling up with GET requests. Alongside that you will also see links ending in .mp4 or .jpg. These are links to the videos and photos you are actually watching on your phone. Here is what I see as I watch the mercedesbenz story:

You might have to delete and reinstall the Instagram app if the data isn’t showing up on your mitmproxy feed as the data might be cached on the phone from prior viewings.

9. You can copy and paste those links into your browser and get access to the photos/videos. In order to do that just hold the fn key on your keyboard, highlight to copy the URL, paste it in your browser. You should be able to save the respective media to your computer.

There you have it. You can use mitmproxy to look at the network traffic of several other apps too. You might find something interesting, you never know.
Once you are done go ahead and turn off HTTP Proxy in Wi-Fi settings and delete the mitmproxy profile in

Settings -> General -> Profile

This can now also be done with certain Cydia tweaks if your phone is jailbroken which didn’t exist at the time of this experiment.