#Instahack: How a malicious image could be used to take over your Instagram account and phone
September 2020 by Check Point
Security researchers at Check Point identified a critical vulnerability in Instagram, the popular photo and video sharing app with over 1 billion users worldwide. The vulnerability would have given an attacker the ability to take over a victim’s Instagram account and turn their phone into a spying tool, simply by sending them a malicious image file. When the image is saved and opened in the target’s Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data.
How the attack works
To exploit the vulnerability, the attacker would only need a single, malicious image. Check Point researchers summarized the attack method in three steps:
1. Attacker sends a malicious image to a target user’s email, WhatsApp or other media exchange platform
2. Picture is saved to the user’s mobile phone. This is can be done automatically or manually depending on sending method, the mobile phone type, and configuration. A picture sent via WhatsApp for example will be saved to the phone automatically by default on all platforms.
3. Victim opens Instagram app, triggering the exploitation, giving the attacker full access for remote takeover
Total takeover of Instagram and transforming the phone into a spying tool The vulnerability gives the attacker full control over the Instagram app, enabling the hacker to take actions without the user’s consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details.
The Instagram application also has extensive permissions that are gateways to other functions on users’ phones, so an attacker could also use the vulnerability to access phone contacts, location data, phone camera and files stored on the device, turning the phone into a perfect spying tool. At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.
Danger in using 3rd party code
Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder which is used by Instagram to upload images to the application. As a result, researchers are warning app developers about the potential risks of using 3rd party code libraries in their apps without checking for security flaws. Application developers frequently do not write the entire application on their own. Instead, developers save time by using 3rd party code to handle common tasks such as image and sound processing, network connectivity, and more. However, 3rd party code often contains vulnerabilities which could lead to security flaws in the overall app, as in this case with Instagram.
Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram. Facebook promptly acknowledged the issue, describing the vulnerability as an “Integer Overflow leading to Heap Buffer Overflow". Facebook issued a patch to remediate the vulnerability on newer versions of the Instagram application on all platforms. To ensure enough Instagram users updated their applications, therefore significantly mitigating the security risk, Check Point researchers waited 6 months to publish these findings.
Yaniv Balmas, Head of Cyber Research at Check Point said: “This research has two main takeaways. First, 3rd party code libraries can be a serious threat. We strongly urge developers of software applications to vet the 3rd party code libraries they use to build their application infrastructures and make sure their integration is done properly. 3rd party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?”
“Second, people need to take the time to check the permissions an application has on your device. This “application is asking for permission” message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?”
Facebook has issued the following comment: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”
Check Point’s Yaniv Balmas provided the following safety tips for people:
1. Update! Update! Update! Make sure you regularly update your mobile application, and your mobile operating systems. Dozens of critical security patches are being shipped out in these updates on a weekly basis, and each one can potentially have severe impact on your privacy.
2. Monitor permissions. Pay close attention to applications asking for permissions. It`s very easy for app developers to just ask the users for excessive permissions, and it’s very easy for users to just click ’Allow’ without thinking twice.
3. Think twice for approvals. Take a few seconds to really think before you approve anything. Ask: “do I really want to give this application this kind of access, do I really need it?" if the answer is no, DO NOT APPROVE.