A critical vulnerability was disclosed in Instagram which could have led to remote code execution and the hijack of smartphone cameras and microphones by sending victims a specially crafted image.
The security flaw which was discovered by the Check Point researchers described it as “a critical vulnerability in Instagram’s image processing.”
The flaw not only allows attackers perform actions on behalf of the user within the Instagram app such as spying on victim’s private messages and even deleting or posting photos from their accounts, but also execute arbitrary code on the device.
The vulnerability was privately disclosed to Facebook, the owner of Instagram and it was tracked as CVE-2020-1895 with as CVSS score of 7.8. The company released a patch update six months ago to address the issue. The public disclosure was delayed in order to allow the majority of Instagram’s users to update the app and thereby reduce the risk this vulnerability may introduce.
The vulnerability is a heap overflow problem that occur in Instagram for Android when trying to upload an image with specially crafted dimensions. This affects versions prior to 184.108.40.206.128.
According to a blog post by Check Point cybersecurity researchers, the Instagram could be taken over by simply sending a single malicious image. After sending the crafted image, an attack can be triggered through email, WhatsApp, SMS, or any other communications platform and then saved to a victim’s device.
It doesn’t matter whether the image is saved locally or manually but just opening Instagram afterward is enough to execute the malicious code.
The issue lies in how Instagram handles third-party libraries used for image processing. Check Point focused on Mozjpeg, an open source JPEG decoder developed by Mozilla that was improperly utilized by Instagram to handle image uploads.
A crafted image file may contain a payload that can harness Instagram’s permissions list on a mobile device, allowing access to “any resource in the phone that is pre-allowed by Instagram.”
The exploitation could also be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, thereby causing even data loss.
Facebook stated that there was no evidence of exploitation of the vulnerability.