Instagram bug that could have been exploited to spy on users found and fixed1 min read . Updated: 24 Sep 2020, 09:21 PM IST
The vulnerability was identified by Facebook's security team as 'Integer Overflow leading to Heap Buffer Overflow' and was caused by a coding error in Mozjpeg, an open source project used by Instagram
A coding vulnerability in Instagram which could have given attackers unauthorised access to anyone's phone contacts, camera and location data was detected by cybersecurity firm Check Point and fixed by Facebook seven months ago. Check Point's findings on the vulnerability was made public today.
The vulnerability was identified by Facebook's security team as "Integer Overflow leading to Heap Buffer Overflow" and was caused by a coding error in Mozjpeg, an open source project used by Instagram as their JPEG format image decoder.
It was found that when Mozjpeg tried to decompress an image of certain dimensions and beyond an allocated size, it triggered the bug which crashed the app and gave attackers access over Instagram app. Anyone could have exploited the bug by sending a specially crafted image to the target's phone via email, Whatsapp or other online modes of media exchange and then wait for the person to access the image inside Instagram's photo gallery.
By exploiting the extensive app permissions granted to apps like Instagram, attackers would have gained access to other components of the phone such as storage, camera and microphone. In attacks like this, the image that triggered the bug is likely to carry a malicious payload which when copied would divert the remote code execution (RCE) to an address controlled by the attacker.
According to Check Point, Facebook responded quickly to their findings and released a patch fixing the issue on all platforms. The patch was released in February, which means it must have been downloaded by the majority of Instagram users by now.
Most app developers rely on third party libraries for common and often complicated tasks such as image processing and sound processing to save time so they can focus more on other areas which matter more to users like user experience (UX). As a result, many of the codes are often copied without any modifications. Any vulnerability in the primary code gets automatically integrated into the app, until it's detected, like in this case.
Researchers at Check Point warn that the Mozjpeg project on Instagram is not a singular use case. The Mozilla-based project is still widely used by various apps.
Check Point recommends, developers can reduce the attack surface by restricting the receiver to a small number of supported image formats.