Instagram has again made it to the news due to a serious security flaw. Reportedly, a critical RCE flaw existed in the Instagram app that risked the security of Android and iOS phones.
Instagram App RCE Flaw
Researchers from Check Point Research have discovered a critical remote code execution bug in Instagram. The RCE flaw specifically resided in the Instagram mobile app, thus posing a threat to both Android and iOS phones.
The researchers have shared the details of their findings in a report.
In brief, they found a vulnerability in the way Instagram utilized Mozilla’s open-source JPEG format decoder Mozjpeg.
Due to this issue, an attacker could easily trigger the bug by sending a maliciously crafted image to the victim’s device via WhatsApp, email, or any other media. Once the victim would open the image on Instagram, the exploit would execute.
In this way, an attacker could gain explicit access to the victim’s device. This includes accessing data and executing different commands.
Given the extent of permissions the Instagram app has access to, the researchers believe exploiting the flaw would simply turn the victim’s device into a spying tool.
As explained in their blog post,
In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will. This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile.
Whereas, the most basic consequence of such exploitation would be an app crash necessitating a reinstallation.
Facebook Patched The Vulnerability
Team Check Point Research reached out to Facebook after finding this RCE flaw. Following their report, Facebook patched the vulnerability in Instagram, CVE-2020-1895. In their advisory, Facebook has classified this bug as a heap overflow issue.
Facebook confirmed that the bug affected previous versions of Instagram for Android app, and received a patch with v.128.0.0.26.128.
For now, all Instagram users are seemingly safe from this flaw since Facebook fixed it back in February 2020. Whereas, the researchers waited for months only to disclose the bug now to minimize potential chances of exploitation.
Let us know your thoughts in the comments.