Security

Instagram iOS & Android app flaw allowed full account access to hackers

 

Instagram is one social media platform that is used predominantly by millennials today taking over Facebook as well. As such, its security remains important today due to the vast amount of personal information that circulates the platform.

A vulnerability of course could be very critical in such circumstances. Keeping this in mind, recently, researchers from Checkpoint have come across a flaw in both Android and iOS operating apps which would allow attackers to take over user accounts and access/edit their messages, images, posts, followers list, and everything else that would be a part of the account.

See: Hacker finds ex-Aussie PM’s passport number using his Instagram post

In fact, they could even crash the app. This could lead to a serious privacy invasion for individuals along with data loss.

How the vulnerability could be exploited was through a simple malicious image that an attacker would send to a victim via any channel, be it the Instagram app itself, email, Whatsapp, or Facebook.



Once the user saved the image and then afterward opened the Instagram app, it would automatically grant the attacker access to the victim’s account. This could be termed as a Remote Code Execution (RCE) attack and alarmingly, it would even allow the attackers to perform functions not inherently available to users on Instagram.

It is worth noting that recently a hacker also exploited RCE vulnerability to hack into Facebook. Explaining, the researchers stated in their blog post that,

Since the Instagram app has very extensive permissions, this may allow an attacker to instantly turn the targeted phone into a perfect spying tool – putting the privacy of millions of users at serious risk.

 

The source of the vulnerability lay in the use of a third-party JPEG image decoder named Mozjpeg which is also open source. Currently, the researchers have informed both Facebook and Instagram who have already released a patch as expected – 6 months ago. Yes! To make sure the massive amount of users globally were updated to the new version, it was necessary to wait before disclosing the details of this flaw.

A snapshot of Facebook’s advisory to the vulnerability

For in-depth technical details visit Checkpoint’s research blog post.



To conclude, there are no confirmed reports of anyone exploiting this flaw but nonetheless, this is another example of the increasing sophistication of technology where now we do not need to only fear executable files but also plain JPEGs as seen in this case.

See: iOS14 shows Instagram opens camera even when users scroll photo feed

For the future, users are advised to also have an anti-virus program installed on their smartphones to serve as a layer of security if not bulletproof. Additionally, always update your apps regularly no matter how annoying it may seem. 

You Might Also Like