In a nutshell: Researchers at cybersecurity firm Check Point have discovered a vulnerability in Instagram's mobile app that allows an attacker to hijack a target's phone remotely. The user's GPS location, phone contacts, and even the camera can be accessed with this method. It all starts with one malicious photo.
The way it works is the attacker sends the target a photo. The picture can come via email, WhatsApp, or "any other media exchange platform." The victim must save the image to the phone. Saving can happen manually, but depending on the type of phone, how it is configured, and what platform is used to transfer the picture, the phone may save it automatically. For example, WhatsApp automatically saves images by default.
Once stored on the device, embedded RCE (remote control execution) code within the image is triggered when the user opens the Instagram app. More technically, the malware creates an "Integer Overflow leading to Heap Buffer Overflow." Once exploited, the attacker gains full access to the Instagram app. The hacker can then read direct messages on the victim's Instagram account, delete or post photos, change the account profile, or just about anything else allowed by the app. The vulnerability exists on both the iOS and Android versions.
A malicious picture can trigger an Instagram vulnerability potentially resulting in RCE on mobile devices.— Check Point Research (@_CPResearch_) September 24, 2020
Read our full technical paper here:https://t.co/lkvDSPkCUj
Furthermore, since Instagram usually has permissions to access some external phone features, hackers can access GPS location, browse through contacts, turn on the phone's camera, and access files stored on the device. The attacker can also crash the Instagram app, preventing the user from accessing it until it's deleted and reinstalled.
Check Point says that the vulnerability in the Instagram app was caused by developers using third-party code for image processing. Licensing bits of code, or finding open-source alternatives, frees developers from having to design common processes from scratch. However, it can often lead to unforeseen exploits, which is what happened in this case. Specifically, Check Point found the weakness in an open-source JPEG decoder routine called "Mozjpeg."
Check Point notified Instagram's parent company Facebook of the security hole before disclosing it to the public. Facebook immediately issued a patch, so as long as your app is updated, the vulnerability should cause no problems.
"We've fixed the issue and haven't seen any evidence of abuse," a Facebook spokesperson said of the exploit. "We're thankful for Check Point's help in keeping Instagram safe."
Image credit: Ink Drop