Instagram vulnerability could have led to account hijacks; now fixed

Detected by the researchers at Check Point, the vulnerability in question tied to Instagram's implementation of Mozjpeg - an open-source project to decode JPEG format images on the service.

They found that the issue could have been exploited by simply sending a malicious image to the target and tricking them into downloading it on their phone.

Once the target downloaded the malicious image and opened it on Instagram, the exploitation would begin, with the bad image giving the attackers access to every resource pre-allowed by the service.

This, the researchers noted, meant that they could take over an account completely, gaining access to its photos, messages, as well as on-device data such as contacts, camera, storage, and location.

The researchers disclosed the bug to Facebook, following which the social network issued a patch for the Instagram app.

The flaw only affected the Android app and the fix has been available for six months, the team said.

In case your Instagram app has not been updated during this period, it is highly recommended to install the latest release to avoid any security breaches.

Facebook has not commented on the matter, given that the flaw has already been fixed.

However, in its official advisory, the company said the flaw existed in Instagram versions prior to 128.0.0.26.128.

"A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions," it added in the notice.