Instagram vulnerability could have led to account hijacks; now fixed
What's the story
Instagram has fixed a major flaw in its application. The issue opened a way for attackers to take over anyone's account on the Facebook-owned photo-sharing service and use it as a spying tool to access and steal the target's location data, personal photos, and messages, among other things. Here is all you need to know about it.
Issue
What was the flaw in question?
Detected by the researchers at Check Point, the vulnerability in question tied to Instagram's implementation of Mozjpeg - an open-source project to decode JPEG format images on the service. They found that the issue could have been exploited by simply sending a malicious image to the target and tricking them into downloading it on their phone.
Details
Once the photo was downloaded, attack could take place
Once the target downloaded the malicious image and opened it on Instagram, the exploitation would begin, with the bad image giving the attackers access to every resource pre-allowed by the service. This, the researchers noted, meant that they could take over an account completely, gaining access to its photos, messages, as well as on-device data such as contacts, camera, storage, and location.
Quote
This could have turned the app, phone into spying tools
Detailing the flaw, the researchers said, "This vulnerability could allow an attacker to perform any action they wish in Instagram. Since the Instagram app has very extensive permissions, this might allow an attacker to instantly turn the targeted phone into a perfect spying tool."
Fix
Findings were disclosed to Facebook, fixed later
The researchers disclosed the bug to Facebook, following which the social network issued a patch for the Instagram app. The flaw only affected the Android app and the fix has been available for six months, the team said. In case your Instagram app has not been updated during this period, it is highly recommended to install the latest release to avoid any security breaches.
Response
Facebook has not commented on the matter
Facebook has not commented on the matter, given that the flaw has already been fixed. However, in its official advisory, the company said the flaw existed in Instagram versions prior to 128.0.0.26.128. "A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions," it added in the notice.