Instagram bug opened a path for hackers to hijack app, turn smartphones into spies

The RCE vulnerability, now patched, took nothing more than an image file to trigger.
Written by Charlie Osborne, Contributing Writer

Facebook has patched a critical vulnerability in Instagram that could lead to remote code execution and the hijack of smartphone cameras, microphones, and more. 

Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as "a critical vulnerability in Instagram's image processing."

Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook's security advisory says the vulnerability is a heap overflow problem.

See also: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities

"A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to," the advisory says. 

In a blog post on Thursday, Check Point cybersecurity researchers said sending a single malicious image was enough to take over Instagram. An attack can be triggered once a crafted image is sent -- via email, WhatsApp, SMS, or any other communications platform -- and then saved to a victim's device.

Whether or not an image is saved locally or manually, just opening Instagram afterward is enough for malicious code to execute. 

The issue is in how Instagram handles third-party libraries used for image processing. In particular, Check Point focused on Mozjpeg, an open source JPEG decoder developed by Mozilla that was improperly utilized by Instagram to handle image uploads. 

A crafted image file can contain a payload able to harness Instagram's extensive permissions list on a mobile device, granting access to "any resource in the phone that is pre-allowed by Instagram," the team says. 

CNET: Twitter faces class-action privacy lawsuit for sharing security info with advertisers

This could include accessing a device's phone contacts, location/GPS data, camera, and locally-stored files. On the Instagram app itself, the RCE vulnerability could also be used to intercept direct messages and read them; delete or post photos without permission, or change account settings. 

"At the most basic level, the exploitation could be used to crash a user's Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data," Check Point added.

TechRepublic: How to create a secure username

The write-up of the vulnerability was made six months after private disclosure to give the majority of handset users time to accept security updates and mitigate the risk of exploit. 

"We've fixed the issue and haven't seen any evidence of abuse," Facebook said. "We're thankful for Check Point's help in keeping Instagram safe."

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards