Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s code that not only allows hackers full access to your Instagram account but also your mobile device.
How Does the Vulnerability Work?
Check Point Research evaluated Instagram security code for both iOS and Android platforms and found the issue on Android (named: CVE-2020-1895), an integer overflow that controls the dimensions of a JPEG file. It ties in with an open-source JPEG encoder library called MozJPEG integrated into Instagram to compress images efficiently. The vulnerable function in question is called (“readjpgcopy_loop”).
Using this bug in the code, hackers can manipulate the file size of a JPEG and when the code crashes, use that opportunity to overwrite the functions and control what the program does. Hackers could have easily exploited this error by sending the user a JPEG with malformed dimensions via email or WhatsApp to trigger the fault and then replace the code with a function of their own.
The most alarming aspect of this vulnerability is that it allows hackers to target someone’s Instagram account and send commands to the mobile device accessing hardware or software components at will. The bug is as effective as any malware infection allowing cybercriminals to spy on the victim and access the most private areas of their phone. This intrusion is a gateway to identity theft and a serious invasion of privacy.
Since this heap overflow bug is tied to Instagram and the app’s permission allows access to the phone’s camera, microphone, photo library, contacts, GPS, and more, it leaves the user very vulnerable to all sorts of privacy violations and the loss of personal information.
What is Facebook Doing About It?
Check Point Research reported their findings and test results to Facebook, and the company quietly released a patch back in April to fix the issue. However, they did not announce it to users, and since some may not have updated the app, their phones could still be using the vulnerable code.
Facebook confirmed they found no evidence that the vulnerability was used to exploit mobile devices on a large-scale event. However, this does not mean that hackers didn’t discover and use it to access personal data before the issue was fixed.
According to an expert with Check Point Research, although “fuzzing the code” exposed this vulnerability and a few others within Instagram, it is possible and even likely that additional bugs exist that were not found, and hackers could potentially exploit them to take control.
What Can You Do to Stay Safe?
If you are one of the 1 billion monthly Instagram users, update your app immediately. Make sure you have the most recent version. According to Facebook, this issue affects any version prior to 220.127.116.11.128. Some other tips to stay safe from identity theft are:
- Update your mobile phone’s security and apply all patches as soon as they are available.
- Consider installing anti-spyware or anti-malware software and running deep scans of your mobile device often.
- Review all your app’s permissions and deny access whenever possible to limit your exposure.
- Think before approving access to any program, app, or pop-up.