Known as RCE, the vulnerability directly concerns millions of Instagram users on the iOS and Android platform. Fortunately, the vulnerability was fixed early and we recommend users update.
Researchers at cybersecurity firm Check Point discovered a vulnerability in Instagram’s mobile app that allowed an attacker to remotely seize the targeted phone. With this method, it is possible to access the user’s GPS location, phone book and even the camera.
The functioning of this abuse begins with the attacker sending a visual to the target. It can come through visual email, WhatsApp or any other platform. The target person should save the picture on their phone. As you know, images can be saved manually, but they can also be automatically saved depending on the phone type or platform used. For example, WhatsApp automatically saves images when no changes are made.
Embedded in the image, the RCE (remote control execution) code is triggered automatically when the user opens the Instagram application. Technically speaking, these codes create an Integer Overflow that causes Heap Buffer Overflow.
Ultimately, full access to the Instagram application is provided. Afterwards, the messages on the user’s account can be read directly, photos can be deleted, shared and just about anything. Specifically, this vulnerability exists on both iOS and Android platforms.
Additionally, because Instagram usually has access to some external phone features, hackers can access GPS location, contacts, phone camera, and files stored on the device. The attacker can also crash the Instagram app and prevent it from accessing it until the user reloads.
Check Point says the vulnerability in the Instagram app was caused by developers using third-party code. Licensing the code and finding open source alternatives saves developers a lot of trouble. However, in some cases it can lead to unpredictable security vulnerabilities. The security company found this vulnerability in an open source JPEG decoder called “Mozjpeg”.
The topic was forwarded to Instagram’s parent company, Facebook, before it was made public. Facebook, on the other hand, immediately released an update. A Facebook spokesperson made a statement about this flaw as follows:
“We fixed the problem and didn’t see any evidence of abuse. We are grateful for Check Point’s assistance. ”