Imagine logging in to your Facebook or Instagram account only to find that you’ve uploaded pornographic images or insulted your friends – but you know you never did anything of the sort. It would feel like someone had just broken into your house and rummaged through your private stuff. Recently, a dangerous bug in Instagram could have made that a reality.
A week ago, the Check Point cybersecurity research group discovered a bug that could allow hackers to take over users’ mobile phones by exploiting Instagram on Android phones. They could achieve this simply by sending an image to the victim’s phone. All the victim had to do is save the image and then open Instagram afterward. After breaching the device, cybercriminals could have taken over your social media account, injected malicious code into your device, monitor your activities, or crash your app completely. They could also gain access to any resources on the phone pre-allowed by Instagram. This bug affected all Instagram versions released before the 10th of February, 2020. Luckily, Facebook managed to release an update and mitigate the risk.
However, Facebook itself is a great privacy risk for Instagram users. Recently, the company has been sued for spying on its users using iPhone cameras after users noticed the camera turning on when they scrolled through their Instagram feed. Facebook claimed that this was a bug and promised to fix it. But given the company’s tendency towards data hoarding, it’s easy to imagine more similar bug occuring in the future.
The flaw exploited MozJPEG, an image file compressor integrated into the Instagram app. When the compressor attempted to edit the malicious image, the bug would allow the cybercriminal to take over the memory allocated to the image and overwrite the data. As a result, they can corrupt the heap, the tree-like data structure, and affect the code execution. Then an intruder can take over your device.
This situation illustrates the importance of properly integrating third-party libraries as they can become a vulnerable spot otherwise.
Avoiding such a subtle attack is difficult, but here are some preventive measures:
Also, check our tips on how to prevent your Instagram from being hacked.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!