Instagram Vulnerability

A vulnerability in Instagram allowed an attacker to take over an Instagram account and turn the victim’s phone into a spying tool by simply sending a malicious image by any media exchange platform.

Security Week

Key takeaways from this article –

Instagram uses should ensure that they are using version 128.0.0.26.128 or later.

Consider disabling automatic saving of photos to your device in What’s App

People need to take the time to check the permissions any application has on your device. This ‘application is asking for permission’ message may seem like a burden, and it’s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera, my microphone, and so on?”

Yaniv Balmas, Head of Cyber Research at Check Point

Why was it discovered?

Check Point Research decided to examine Instagram because of its size and popularity. It has more than 1 billion users with more than 100 million photos uploaded every day. The researchers chose to examine some of the third-party open source projects used within the Instagram app — and focused on Mozjpeg. This is an open source Jpeg encoder developed by Mozilla to maximize compression over performance for web images.

Security Week

How did the researchers discover it?

The researchers used a fuzzer on images sent to the Mozjpeg decompression function, and decided to concentrate on one specific crash caused by an out-of-bounds write. They found that they could use an integer overflow leading to a heap buffer overflow. Successful exploitation of such bugs requires precise positioning of heap objects to enable useful adjacencies for memory corruption.

They were able to use a function that performs a raw malloc with a size under their control. This allowed them to place the overflowed buffer at a position of their choice on the heap. Putting everything together, reported the researchers, they could “(1) construct an image with malformed dimensions that (2) triggers the bug, which then (3) leads to a copy of our controlled payload that (4) diverts the execution to an address that we control.”

Security Week

What did this mean for Instagram users?

Exploiting this vulnerability would give the attacker full control over the Instagram app, enabling the attacker to take actions without the user’s consent — including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details. All that is required is for the attacker to send the crafted malicious image to the victim. If this is saved to the victim’s phone (WhatsApp does this automatically by default), merely opening the Instagram app will trigger the exploitation and give the attacker full access for remote takeover.

Security Week

Has is been fixed?

Check Point reported its findings to Facebook towards the end of 2019. Facebook acknowledged the vulnerability and assigned it the CVE-2020-1895 reference number. NVD gives it a severity rating of 7.8. Facebook patched the vulnerability in February 2020, and Check Point delayed publishing its account of the vulnerability a further six months to give Instagram users enough time to update their apps. Facebook comments that the issue is fixed, and it has seen no evidence of associated abuse.

However, the Check Point researchers, while noting that fuzzing the exposed code turned up new vulnerabilities that have since been fixed, it is “likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating system libraries and third-party libraries, is absolutely necessary.”

Security Week

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

COVID-19 NOTICE

As a business primarily based in digital services, there is currently no change to our current service offering.

We are working remotely from home where we have full access to everything we need to operate as normal, therefore there is currently no impact to our customer or the services we provide. If you have any questions or concerns please don’t hesitate to email us at hello@dzined.com

We are following government advice and working from home to protect ourselves and those around us.

Stay safe, look after those who need support and keep washing those hands.

Updated 14th May 2020