Researchers at cybersecurity firm Check Point have found a critical vulnerability in the Instagram app that would have given an attacker the ability to take over a victim’s account.
The vulnerability, discovered earlier this year, could have allowed hackers to turn the phones of the victims into a spying tool, simply by sending them a malicious image file, media reports indicated.
When the image is saved and opened in the Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data.
After the findings were disclosed to Facebook and the Instagram teams, Facebook issued a patch to remediate the issue on the newer versions of the Instagram application on all platforms, Check Point said.
“We strongly encourage all Instagram users to ensure they are using the latest Instagram app version and to update if any new version is available,” Check Point said.
A part of the Facebook family of apps, Instagram is one of the most popular social media platforms globally, with over 100 million photos uploaded every day, and nearly one billion monthly active users.
The researchers decided to review the security of Instagram’s mobile app given its popularity and wide-ranging permissions that the app seeks from users.
The research revealed a critical vulnerability that might allow the attackers what is technically referred to as “remote code execution,” or RCE.
This vulnerability can allow an attacker to perform any action they wish in the Instagram app.
So how does such a popular application include vulnerabilities, when huge amounts of time and resources are invested in developing it?
The answer is that most modern app developers do not actually write the entire application on their own: if they did so it would take years to write an application.
Instead, they use third party libraries to handle common (and often complicated) tasks such as image processing, sound processing, network connectivity, and so on.
This frees the developers to handle only the coding tasks, which represent the apps core business logic.
However, this relies on those third party libraries being completely trustworthy and secure.
The Check Point researchers examined the third party libraries used by Instagram.
The vulnerability they found was in the way that Instagram used Mozjpeg – an open source project used by Instagram as its JPEG format image decoder for images uploaded to the service.
In the attack scenario described in the study, an attacker can send an image to their target victim via email, WhatsApp or another media exchange platform.
The target user saves the image on their handset, and when they open the Instagram app, the exploitation takes place, allowing the attacker full access to any resource in the phone that is pre-allowed by Instagram.
These resources include contacts, device storage, location services and the device camera.
In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will, Check Point said.