In a report, Check Point researchers revealed details of a critical vulnerability in the Android app for Instagram. It would have allowed the attackers to take remote control over a targeted device just by sending a specially created image to the victims’ phones.
The problem not only allows hackers to perform actions on behalf of the user within the Instagram application, including spying on the victim’s private messages and even deleting or posting photos from their accounts, but can even execute code on the device.
The Instagram issue has been kept secret
right a message posted by Facebook, the security issue affects all versions of Instagram before 18.104.22.168.128. “This vulnerability makes the device a tool to spy on targeted users without their knowledge, and allows malicious manipulation of their Instagram profile,” Check Point Research said in their analysis. “In both cases, the attack could lead to a massive invasion of user privacy and damage its reputation, or it could lead to even more serious security risks.”
After the findings were reported on Facebook, the company addressed the issue with an update released six months ago.
The disclosure has been delayed all this time to allow most Instagram users to update the app, thus reducing the risk that this vulnerability may introduce.
Hackers could access your phone applications
Conform Check Point, memory corruption vulnerability allows remote code execution that, given Instagram’s extensive permissions to access a user’s camera, contacts, GPS, photo gallery, and microphone, could be leveraged to perform any malicious action on infected device.
As for the error itself, it comes from the way Instagram integrated MozJPEG, causing an overload when the function in question tries to analyze a malicious image with specially created dimensions.
The consequence of such a vulnerability is that all a potentially malicious actor has to do is send a corrupt JPEG image to a victim via email or WhatsApp.
Once the recipient saves the image on the device and launches Instagram, the exploitation takes place automatically, giving the attacker full control over the application.
Although Facebook has confirmed that there were no signs that this bug has been exploited globally, the incident is a good reminder of the importance of constantly updating applications and taking into account the permissions you grant them.