Researchers from the online security company Check Point said on Thursday that they found a serious vulnerability in the Instagram application that would allow attackers to take over the victim’s account. The vulnerability was discovered earlier this year, and it may allow hackers to turn the victim’s phone into a spy tool simply by sending a malicious image file to the victim.
When the image is saved and opened in the Instagram application, the exploit will allow hackers to have full access to the victim’s Instagram messages and images, allowing them to post or delete the image at will, as well as access the phone’s contacts , Camera and location data.
Check Point said that after revealing the findings to the Facebook and Instagram teams, Facebook issued a patch to fix the issues in the updated version of the Instagram application on all platforms.
Check Point said: “We strongly encourage all Instagram users to ensure that they use the latest version of the Instagram app and update whether a new version is available.”
Instagram is part of the Facebook application family and one of the most popular social media platforms in the world. It uploads more than 100 million photos every day and has nearly 1 billion monthly active users.
Considering the popularity of Instagram’s mobile application and the wide range of permissions sought from users, the researchers decided to review it. Research has found that a serious vulnerability may make an attacker technically call it “remote code execution” or RCE. This vulnerability could allow attackers to perform any actions they wish to perform in the Instagram application.
So, how does this popular application contain vulnerabilities when a lot of time and resources are invested in development? The answer is that most modern application developers don’t actually write the entire application themselves: if they do, it will take years to write an application. Instead, they use third-party libraries to handle common (usually complex) tasks, such as image processing, sound processing, network connections, etc.
This allows developers to handle only coding tasks that represent the core business logic of the application. However, this relies on those third-party libraries that are completely trustworthy and safe.
Check Point researchers checked third-party libraries used by Instagram. The loophole they found lies in the way Instagram uses Mozjpeg-Mozjpeg is an open source project used by Instagram as its JPEG format image decoder for images uploaded to the service.
In the attack scenario described in the study, the attacker can simply send the image to the target victim via email, WhatsApp or other media exchange platforms. The target user saves the image on the phone, and when they open the Instagram application, it will be used, so that the attacker can fully access any resources in the phone allowed by Instagram. These resources include contacts, device storage, location services, and device cameras.
In fact, the attacker can completely control the application and can create actions on behalf of the user, including reading all his personal messages in his Instagram account and deleting or posting photos at will.