A critical Instagram bug could allow attackers to convert a mobile device into a spying tool through an Instagram account takeover, according to Check Point researchers. If an Instagram user saved a malicious image and then opened an Instagram app, the bug would be activated, granting the attacker full access to the app and critical features of the device. The Instagram bug originated from a third-party library used in uploading pictures on the Instagram app.
A third-party library compromised the Instagram application
The critical vulnerability in Instagram originated from a remote code execution (RCE) vulnerability on the photo-sharing app. The Instagram bug, assigned tracking code CVE-2020-1895, existed in the Mozjpeg code library. Mozjpeg is a third-party JPEG image decoder used in various applications for image processing. Researchers described the Instagram bug as an integer overflow causing a heap overflow on the photo-sharing app.
A threat actor could launch an account takeover attack by sending a malicious image with specially crafted dimensions through WhatsApp or email. When a user saved the image and opened the Instagram app, the Instagram RCE vulnerability would be triggered. An attacker could access messages, images, and contacts. The attacker could also delete or post photos on Instagram. Further, the hacker could crash the Instagram application, forcing the user to delete and reinstall it.
The Instagram bug was discovered six months ago, but Facebook only recently disclosed the information since most users had already updated their applications. Consequently, their Instagram installations were no longer at risk of account takeover attacks.
Mitigating device and Instagram account takeover risks
Yaniv Balmas, the head of cyber research at Check Point, warned developers about relying on third-party libraries. He said that while such libraries could save development time by handling common tasks such as sound and image processing, they could also compromise the final product’s security.
He advised developers to vet third-party libraries to ensure that they integrated properly with their products without introducing any vulnerabilities. Balmas also pointed out that although the vulnerability was only recently discovered on Instagram, more products could be affected.
Similarly, Check Point researchers believe that the Instagram bug was just the tip of the iceberg. Mozjpeg open-source library is used in other projects, including other open-source projects such as Mozilla, sharp, and libvips.
Balmas also encouraged end-users to review the permissions requested by various applications. The team leader implied that users should be wary of applications that request permissions unnecessary for their operations. He also urged users to update their operating systems and applications to take advantage of the software patches frequently released to fix various flaws.
Avoiding receiving images from unknown sources is also a preferred method of preventing an Instagram account takeover attack. For influencers, celebrities, and corporate users, having separate accounts could mitigate an Instagram account takeover risk.
Javvad Malik, Security Awareness Advocate at KnowBe4, says that account takeover attacks are very lucrative because social media accounts contain a lot of sensitive information. He advised professional social media users to keep separate personal and work accounts.
“For influencers or brand managers who use Instagram or other social media in a professional capacity, it’s worth considering using separate devices for work (i.e., Instagram) and personal social media uses. This would apply to not just the influencers and celebrities themselves, but also any staff that supports them and have access to their accounts.”
Users should also avoid unknowingly saving images by disabling the autosaving feature on various communications applications such as WhatsApp. The most popular instant messaging app could be used to launch account takeover attacks. For example, experts believe that Jeff Bezos’s phone was hacked after receiving a malicious WhatsApp video.
Josh Bohls, CEO and founder of Inkscreen, noted that organizations should implement multimedia management policies to protect themselves from similar attacks.
“It is clear that individuals, companies, and government organizations need to take greater caution with multimedia content on mobile devices. In the case of enterprise and government, it is critical to have an enterprise mobility management (EMM) platform in place with threat detection capabilities, as well as a secure camera application with encrypted containerized content storage and data leakage prevention (DLP) controls. This combination of technologies will ensure that any photos or videos saved to the device are inspected, managed, and protected. The mantra of ‘secure content capture’ has never been more important.”
