Posted on September 25, 2020 at 1:43 PM
Security researchers at Checkpoint discovered a new vulnerability in the Instagram app that enables hackers to turn mobile devices and smartphones to spy tools by hacking their Instagram app.
It is not clear whether any hacker has succeeded in exploiting the vulnerability and infiltrates a users’ smartphone, but Facebook has already provided a patch to fix the bug.
The Instagram video/sharing app has more than 1 billion users all over the world. Recently, there was a report that Facebook is likely using the Instagram app to spy on users.
Critical bug leads to remote code execution
According to the Checkpoint researchers, the critical bug in the app can result in remote code execution and the hijack of microphones, cameras, and smartphones.
The more critical issue is not only the ability of hackers to use the user’s phone as a tool to carry out hacking activities but the ability to execute arbitrary codes on the device.
Based on a recently published advisory by Facebook, the vulnerability known as CVE-2020-1895 affects all versions of the Instagram app before the release of a patch earlier this year.
The hacker could send the victim a malicious image file, which will be enough to take over their Instagram account due to the app vulnerability. When the victim saves the malicious image and opens it in the app, the hacker will be granted complete access to the victim’s Instagram images and messages. The exploit will also give the hacker access to other areas, including location data, camera, and the phone’s contacts.
Hackers can succeed in this exploitation because of the permissions the app can ask the user to grant.
For instance, a map application doesn’t have permission to access the user’s location, although it should have access to their microphone. Similarly, a dating app has no permission to access any other area except having access to the user’s camera.
However, an app such as Instagram has a comprehensive permission list, which makes it easier for hackers to take full control of the device.
“This vulnerability turns the device into a tool for spying on targeted users without their knowledge,” a Checkpoint researcher said in a recently published analysis.
In this case, the vulnerability could result in a substantial invasion of the target’s privacy, and it could lead to more severe security issues in the future.
The vulnerability was patched six months ago
When Facebook received information about the vulnerability, it addressed the issue by patching the vulnerability six months ago. “We’ve fixed the issue and haven’t seen any evidence of abuse,” Facebook revealed.
However, disclosure to the public was delayed to make sure most Instagram users update the app to reduce the risk the vulnerability may cause.
While the social media giant confirmed that there’s probably no sign the vulnerability was exploited globally, it’s still a reminder for users to always ensure their apps are kept up to date. They should also be careful of permissions granted by the apps.
The flaw originates from the integration of MozJPEG, a JPEG encoder that provides better image compression and lowers bandwidth. This leads to an overflow of the integer when the vulnerable protocol tries parsing a malicious image with properly crafted dimensions.
Issues with Instagram’s dealings with third-party libraries
In a blog post yesterday, Checkpoint noted that delivering a single malicious image is enough to take full control of the user’s Instagram. The attack can be engineered when the crafted image is sent through SMS, Whatsapp, or email.
No matter where the image is saved, the malicious code can execute if the user opens the Instagram account.
The main problem is how Instagram deals with third-party libraries used for image processing. The MoziPeg protocol was developed by Mozilla and was not utilized properly by Instagram when dealing with image protocols.
A specifically crafted image file may contain a payload that can harness the extensive permissions of the Instagram app on mobile devices and grant access to any network pre-allowed by Instagram.
Basically, the hacker can exploit the vulnerability to crash the victim’s Instagram account and deny them any access to the app until they delete and re-install it back to the device.