Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

How Instagram could have let hackers capture your device

Imagine logging in to your Facebook or Instagram account only to find that you’ve uploaded pornographic images or insulted your friends – but you know you never did anything of the sort. It would feel like someone had just broken into your house and rummaged through your private stuff. Recently, a dangerous bug in Instagram could have made that a reality.

How Instagram could have let hackers capture your device

What happened?

A week ago, the Check Point cybersecurity research group discovered a bug that could allow hackers to take over users’ mobile phones by exploiting Instagram on Android phones. They could achieve this simply by sending an image to the victim’s phone. All the victim had to do is save the image and then open Instagram afterward. After breaching the device, cybercriminals could have taken over your social media account, injected malicious code into your device, monitor your activities, or crash your app completely. They could also gain access to any resources on the phone pre-allowed by Instagram. This bug affected all Instagram versions released before the 10th of February, 2020. Luckily, Facebook managed to release an update and mitigate the risk.

However, Facebook itself is a great privacy risk for Instagram users. Recently, the company has been sued for spying on its users using iPhone cameras after users noticed the camera turning on when they scrolled through their Instagram feed. Facebook claimed that this was a bug and promised to fix it. But given the company’s tendency towards data hoarding, it’s easy to imagine more similar bug occuring in the future.

How is the instagram hack done?

The flaw exploited MozJPEG, an image file compressor integrated into the Instagram app. When the compressor attempted to edit the malicious image, the bug would allow the cybercriminal to take over the memory allocated to the image and overwrite the data. As a result, they can corrupt the heap, the tree-like data structure, and affect the code execution. Then an intruder can take over your device.

This situation illustrates the importance of properly integrating third-party libraries as they can become a vulnerable spot otherwise.

How to avoid future threats

Avoiding such a subtle attack is difficult, but here are some preventive measures:

  • Constantly update your app. Facebook issued a fix soon after hearing about the issue. Responding to updates quickly can protect from similar threats in the future;
  • Manage app permissions. Always make sure you trust the app before allowing it to control your device or access your data. Even with apps you trust, consider giving them less access than they’re asking for. They don’t always need all of it to operate;
  • Delete Instagram and go for a more secure and private app.

Also, check our tips on how to prevent your Instagram from being hacked.