Check Point Security experts discovered a dangerous vulnerability allowing hijack a user's account and turn their phone into a spy tool.
The bug scored 7.8 out of 10 on the CVSS vulnerability rating scale. Fortunately, the problem was fixed back in February 2020, as it was revealed more than half a year ago, and the developers had enough time to create and distribute patches.
It was needed only to send a malicious image for an attack via email, messenger, etc. As soon as the victim saved this image and relaunched Instagram, the exploit was triggered. It gave the hackers full access to the victim's Instagram messages and pictures, allowing them to post or delete the images, get access to phone contacts, camera, location data, etc.
Such attacks invade users' privacy and can affect their reputation or lead to more severe security problems. An exploit could be used to disable the Instagram app at its most basic level, which will not work until the user uninstalls and reinstalls it from their device.
The problem was how Instagram works with third-party libraries used for image processing. Check Point experts were interested in MozJPEG, an open-source JPEG decoder developed by Mozilla that Instagram used to process images.
As it turned out, MozJPEG was misused on Instagram, and the researchers managed to provoke an integer overflow when the vulnerable read_jpg_copy_loop function tried to process a malicious image with specified dimensions.
Check Point experts said that fuzzing revealed several problems at once, one of which could be used as RCE and triggered without user intervention.
Analysts also claim that this problem is relevant for many applications. For example, a mapping app might have access to a user's location, but it shouldn't have access to a microphone and a camera, and a dating app should have access to a camera but nothing else.
Experts warn that if applications have access to many of your smartphone's functions, a hacker will easily access GPS data, microphone, contacts, camera, and more.