Researchers at Check Point firm has disclosed an RCE bug in Instagram, which could be exploited using just an image file! The bug was about how Instagram handles the image uploads and processing, and exploiting it can give the attacher all permissions that Instagram has. This was reported to Facebook and was patched in Instagram’s latest update, thus suggesting users to update immediately.
Instagram RCE Bug Can Spy on You!
With over a billion users and counting, Instagram is the popular photo-sharing platform from Facebook and used mostly by teens. The platform’s Android app is reported to have a critical bug, which if exploited can give the hacker all the permissions that a user has already given the Instagram.
Documented by Check Point, a cybersecurity firm, researchers pointed out how Instagram improperly utilizes image processing using an open-source tool. This was reported to Facebook privately about six months back but was documented now to give users time to update their apps. Tracked as CVE-2020-1895, the vulnerability was given a severity score of 7.8/10.
Facebook has released an advisory regarding the bug today, calling the “large heap overflow” to be the cause. Further, “It could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 220.127.116.11.128.” Check Point researchers on the other hand have explained the devastating consequences of this RCE bug.
The explained how the Instagram improperly utilized the Mozjpeg, a Mozilla developed open-source JPEG decoder to handle image uploads. Researchers said that by sending a mere image file, that carries a malicious payload and crafted to trigger the bug, can hijack target’s phone. The image can be sent by any means, and when saved into the device by the user, gives chance for the attacker to start the hack.
Opening Instagram after saving the image triggers the bug, and will let the attacker gain access to pre-set permissions given by user to Instagram. These may include location, contacts, camera, and internal storage. Also, the attacker can use this RCE bug to interpret Direct Messages and even post/delete the user’s Instagram posts.