Instagram Vulnerability Allowed Hackers Access to Control Your Phone

  • By Dawna M. Roberts
  • Sep 29, 2020

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s code that not only allows hackers full access to your Instagram account but also your mobile device. 

How Does the Vulnerability Work?

Check Point Research evaluated Instagram security code for both iOS and Android platforms and found the issue on Android (named: CVE-2020-1895), an integer overflow that controls the dimensions of a JPEG file. It ties in with an open-source JPEG encoder library called MozJPEG integrated into Instagram to compress images efficiently. The vulnerable function in question is called (“readjpgcopy_loop”).

Using this bug in the code, hackers can manipulate the file size of a JPEG and when the code crashes, use that opportunity to overwrite the functions and control what the program does. Hackers could have easily exploited this error by sending the user a JPEG with malformed dimensions via email or WhatsApp to trigger the fault and then replace the code with a function of their own. 

The most alarming aspect of this vulnerability is that it allows hackers to target someone’s Instagram account and send commands to the mobile device accessing hardware or software components at will. The bug is as effective as any malware infection allowing cybercriminals to spy on the victim and access the most private areas of their phone. This intrusion is a gateway to identity theft and a serious invasion of privacy.

Since this heap overflow bug is tied to Instagram and the app’s permission allows access to the phone’s camera, microphone, photo library, contacts, GPS, and more, it leaves the user very vulnerable to all sorts of privacy violations and the loss of personal information.

What is Facebook Doing About It?

Check Point Research reported their findings and test results to Facebook, and the company quietly released a patch back in April to fix the issue. However, they did not announce it to users, and since some may not have updated the app, their phones could still be using the vulnerable code. 

Facebook confirmed they found no evidence that the vulnerability was used to exploit mobile devices on a large-scale event. However, this does not mean that hackers didn’t discover and use it to access personal data before the issue was fixed. 

According to an expert with Check Point Research, although “fuzzing the code” exposed this vulnerability and a few others within Instagram, it is possible and even likely that additional bugs exist that were not found, and hackers could potentially exploit them to take control. 

What Can You Do to Stay Safe?

If you are one of the 1 billion monthly Instagram users, update your app immediately. Make sure you have the most recent version. According to Facebook, this issue affects any version prior to 128.0.0.26.128. Some other tips to stay safe from identity theft are:

  • Update your mobile phone’s security and apply all patches as soon as they are available.
  • Consider installing anti-spyware or anti-malware software and running deep scans of your mobile device often.
  • Review all your app’s permissions and deny access whenever possible to limit your exposure.
  • Think before approving access to any program, app, or pop-up.
About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unk ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is PPP Loan Fraud?

What is PPP Loan Fraud?

When the pandemic hit in 2020, our world became chaotic overnight. Throughout the nation, individuals were met with layoffs or stringent checks—pushing the financials of families to their breaking points.

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Based in Philadelphia, Pennsylvania, CGM is a nationwide cementitious vendor for industries and construction projects. They are a leader in manufacturing, labeling, and distributing custom cement and patching products.

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Patients with cardiovascular issues may appear in one of the Chattanooga Heart Institute (CHI) facilities in Tennessee and Georgia.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close