Researchers at cyber-security firm, Check Point, have detailed a major vulnerability in Instagram that could have allowed hackers to take over accounts with just one malicious image file. The remote code execution (RCE) vulnerability, which affected Instagram’s Android and iOS apps, was discovered earlier this year and was fixed after being reported by Check Point.
According to the researchers, the flaw allowed attackers to perform actions on behalf of the user within the Instagram app, including spying on the victim’s private messages and posting or deleting photos. As if that wasn’t bad enough, it also enabled hackers to execute arbitrary code on the device. The attackers could also have taken advantage of the extensive array of permissions to potentially turn people’s mobile phones into spying tools, said the report.
Describing the flaw, the researchers said that it was a heap buffer overflow that occurred when Instagram tried to upload a larger image believing it to be smaller. “When the image is saved and opened in the Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data”, they said in an official blog post.
Tracked as CVE-2020-1895, the flaw is described by Facebook as an ‘Integer Overflow leading to Heap Buffer Overflow’. It affects Instagram versions prior to 188.8.131.52.128 on Android. The company has issued a patch to remediate the issue on the newer versions of the Instagram application on all platforms, so all users should update to the latest version to ensure their privacy. You can read the full technical details of this research on the official Check Point website.