A vulnerability in Instagram allowed an attacker to take over an Instagram account and turn the victim’s phone into a spying tool by simply sending a malicious image by any media exchange platform.Security Week
Key takeaways from this article –
Instagram uses should ensure that they are using version 220.127.116.11.128 or later.
Consider disabling automatic saving of photos to your device in What’s App
People need to take the time to check the permissions any application has on your device. This ‘application is asking for permission’ message may seem like a burden, and it’s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera, my microphone, and so on?”Yaniv Balmas, Head of Cyber Research at Check Point
Why was it discovered?
Check Point Research decided to examine Instagram because of its size and popularity. It has more than 1 billion users with more than 100 million photos uploaded every day. The researchers chose to examine some of the third-party open source projects used within the Instagram app — and focused on Mozjpeg. This is an open source Jpeg encoder developed by Mozilla to maximize compression over performance for web images.Security Week
How did the researchers discover it?
The researchers used a fuzzer on images sent to the Mozjpeg decompression function, and decided to concentrate on one specific crash caused by an out-of-bounds write. They found that they could use an integer overflow leading to a heap buffer overflow. Successful exploitation of such bugs requires precise positioning of heap objects to enable useful adjacencies for memory corruption.
They were able to use a function that performs a raw malloc with a size under their control. This allowed them to place the overflowed buffer at a position of their choice on the heap. Putting everything together, reported the researchers, they could “(1) construct an image with malformed dimensions that (2) triggers the bug, which then (3) leads to a copy of our controlled payload that (4) diverts the execution to an address that we control.”Security Week
What did this mean for Instagram users?
Exploiting this vulnerability would give the attacker full control over the Instagram app, enabling the attacker to take actions without the user’s consent — including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details. All that is required is for the attacker to send the crafted malicious image to the victim. If this is saved to the victim’s phone (WhatsApp does this automatically by default), merely opening the Instagram app will trigger the exploitation and give the attacker full access for remote takeover.Security Week
Has is been fixed?
Check Point reported its findings to Facebook towards the end of 2019. Facebook acknowledged the vulnerability and assigned it the CVE-2020-1895 reference number. NVD gives it a severity rating of 7.8. Facebook patched the vulnerability in February 2020, and Check Point delayed publishing its account of the vulnerability a further six months to give Instagram users enough time to update their apps. Facebook comments that the issue is fixed, and it has seen no evidence of associated abuse.
However, the Check Point researchers, while noting that fuzzing the exposed code turned up new vulnerabilities that have since been fixed, it is “likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating system libraries and third-party libraries, is absolutely necessary.”Security Week