[ad_1]
Security researchers at Check Point identified a critical vulnerability in Instagram, the popular photo and video sharing app with more than 1 billion users worldwide. The vulnerability would have given an attacker the ability to take over a victim’s Instagram account and turn their phone into a spy tool, simply by sending them a malicious image file. When the image is saved and opened in the target’s Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, in addition to giving access to them. phone contacts, camera. and location data.
How the attack works
To exploit the vulnerability, the attacker would only need a single malicious image. The Check Point researchers summarized the attack method in three steps:
- The attacker sends a malicious image to the email of a target user, WhatsApp or other media sharing platform.
- The image is saved on the user’s mobile phone. This can be done automatically or manually depending on the shipping method, mobile phone type, and settings. An image sent via WhatsApp, for example, will be saved to the phone automatically by default on all platforms.
- The victim opens the Instagram app, which triggers the exploit and gives the attacker full access for remote takeover.
Phone as a spy tool using Instagram
At the most basic level, the exploit could be used to block a user’s Instagram app.
The vulnerability gives the attacker full control over the Instagram application, allowing him to take actions without user consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulation of account profile details.
The Instagram app also has extensive permissions that are gateways to other functions on users’ phones, so an attacker could also use the vulnerability to access phone contacts, location data, phone camera. and files stored on the device, making the phone a perfect spy. tool.
At the most basic level, the exploit could be used to block a user’s Instagram app, denying them access to the app until they remove it from their device and reinstall it, causing inconvenience and possible loss of data.
Danger when using third-party code
Check Point researchers found the vulnerability in Mozjpeg, an open source JPEG decoder used by Instagram.
Researchers at Check Point found the vulnerability in Mozjpeg, an open source JPEG decoder that Instagram uses to load images into the application. As a result, researchers are warning application developers about the potential risks of using third-party code libraries in their applications without checking for security flaws.
Application developers often do not write the entire application themselves. Instead, developers save time by using third-party code to handle common tasks like image and sound processing, network connectivity, and more.
However, third-party code often contains vulnerabilities that could lead to security flaws in the application in general, as in this case with Instagram.
Responsible disclosure
The Check Point investigators responsibly disclosed their findings to Facebook, the owner of Instagram.
The Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram. Facebook was quick to acknowledge the problem, describing the vulnerability as an “Integer Overflow leading to Stack Buffer Overflow.”
Facebook issued a patch to remediate the vulnerability in the latest versions of the Instagram application on all platforms. To ensure that enough Instagram users updated their apps, thus significantly mitigating the security risk, the Check Point researchers waited 6 months to publish these findings.
Code Libraries
We strongly encourage software application developers to examine the third-party code libraries they use. “
Yaniv Balmas, Head of Cyber Research at Check Point said: “This research has two main conclusions. First, third-party code libraries can be a serious threat. We strongly encourage software application developers to examine the third-party code libraries they use to build their application frameworks and ensure their integration is successful. Third-party code is used in almost every application out there, and it is very easy to miss the serious threats it contains. Today is Instagram, tomorrow, who knows?“
“Second, people should take the time to check the permissions that an app has on their device. This “application requests permission” message may seem like a burden, and it’s easy to click “Yes” and forget about it. But in practice, this is one of the strongest lines of defense everyone has against mobile cyberattacks, and I would recommend everyone to take a minute and think, do I really want to give this app access to my camera, my microphone? , etc.?? “
Facebook has issued the following comment: “We have fixed the problem and have not seen any evidence of abuse. We are grateful for Check Point’s help in keeping Instagram safe. “
Security advice
Check Point’s Yaniv Balmas provided the following safety tips for people:
- To update! To update! To update! Make sure one regularly updates their mobile app and mobile operating systems. Dozens of critical security patches are being shipped in these updates on a weekly basis, and each can have a severe impact on one’s privacy.
- Monitor permissions. Pay close attention to applications that ask for permissions. It is very easy for application developers to ask users for excessive permissions, and it is very easy for users to click ‘Allow’ without a second thought.
- Think twice for approvals. Take a few seconds to really think before approving something. Ask: “Do you really want to give this application this type of access? Is it really needed? ” If the answer is no, DO NOT APPROVE.
