Instagram bug: one image file needed to trigger spying on app users

Hackers could break into the phone and spy on you through the camera and microphone by using an Instagram bug

Major Instagram bug allowed hackers to spy on victimsFacebook has fixed a major Instagram bug that could lead to big security problems.

The Instagram app had a major vulnerability which let hackers break into the victim's phone only by sending him/her a specially crafted image via a common messaging platform or over email. This bug could be exploited by attackers to deny users access to the application, take full control of victims' accounts, or use their phone to spy on them.

Technically, this issue was tracked as CVE-2020-1895.[1] Facebook, the owner of the Instagram platform, explained that the vulnerability is:[2]

A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to

Instagram[3] (commonly known as IG or Insta) is a photo and video sharing app, social media platform. This application is very popular all around the world and has over 1 billion users. The bug on Instagram was discovered by the security researchers from Check Point earlier this year.

The problem triggered by open-source JPEG decoder

The main thing is how Instagram handles third-party libraries used for image processing. Instagram improperly utilized Mozjpeg,[4] an open-source JPEG decoder, to handle image uploads. The Check Point team says the crafted image file can contain a payload able to harness apps' extensive permissions list on Android devices and grant access to all resources on the phone that is already allowed to Instagram.

Researchers explained that they decided to audit the security of the Instagram application because this social media platform is one of the most popular in the world. In their recent report,[5] Gal Elbaz wrote how the custom implementation of third-party code on Instagram could have led to serious, remote code execution risks.

Check Point said, that this vulnerability[6] turns the device into a spying tool that can be used to target victims and enable manipulations, changes on their Instagram profiles. The possible attack can lead to privacy, security, and identity theft problems.

The hacker could access to phone contacts, camera, location/GPS data, and locally stored files. Also, this vulnerability could be used to harm users through the Instagram application itself because the attacker gets full control over the app and can delete or post photos without permission, change account settings, and intercept direct messages and read them.

Facebook fixed the issue, users encouraged to use the latest version of the Instagram app

The main question after this story: is a social media app is safe to use if such a major vulnerability could occur? The cybersecurity researchers are not very optimistic but also gives recommendations:[5]

Unfortunately, it is also likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating system libraries and third party libraries, is absolutely necessary. We also recommend reducing the attack surface by restricting the receiver to a small number of supported image formats.

This vulnerability was already fixed by Facebook but the public explanation was made only now because cybersecurity researchers wanted to give time to Instagram users to update their applications. Experts also recommended using the latest Instagram app version and always update it to the newest version available in the future.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions