Home >Technology >News >Instagram bug that could have been exploited to spy on users found and fixed
FILE - This Friday, Aug. 23, 2019  file photo shows the Instagram app icon on the screen of a mobile device in New York. Celebrities including Kim Kardashian West, Katy Perry and Leonardo DiCaprio are taking part in a 24-hour “freeze” Wednesday, Sept. 16, 2020 on Instagram to protest against the failure of the social media platform's parent company, Facebook, to tackle misinformation and hateful content.  (AP Photo/Jenny Kane, File) (AP)
FILE - This Friday, Aug. 23, 2019 file photo shows the Instagram app icon on the screen of a mobile device in New York. Celebrities including Kim Kardashian West, Katy Perry and Leonardo DiCaprio are taking part in a 24-hour “freeze” Wednesday, Sept. 16, 2020 on Instagram to protest against the failure of the social media platform's parent company, Facebook, to tackle misinformation and hateful content. (AP Photo/Jenny Kane, File) (AP)

Instagram bug that could have been exploited to spy on users found and fixed

The vulnerability was identified by Facebook's security team as 'Integer Overflow leading to Heap Buffer Overflow' and was caused by a coding error in Mozjpeg, an open source project used by Instagram

A coding vulnerability in Instagram which could have given attackers unauthorised access to anyone's phone contacts, camera and location data was detected by cybersecurity firm Check Point and fixed by Facebook seven months ago. Check Point's findings on the vulnerability was made public today.

The vulnerability was identified by Facebook's security team as "Integer Overflow leading to Heap Buffer Overflow" and was caused by a coding error in Mozjpeg, an open source project used by Instagram as their JPEG format image decoder.

It was found that when Mozjpeg tried to decompress an image of certain dimensions and beyond an allocated size, it triggered the bug which crashed the app and gave attackers access over Instagram app. Anyone could have exploited the bug by sending a specially crafted image to the target's phone via email, Whatsapp or other online modes of media exchange and then wait for the person to access the image inside Instagram's photo gallery.

By exploiting the extensive app permissions granted to apps like Instagram, attackers would have gained access to other components of the phone such as storage, camera and microphone. In attacks like this, the image that triggered the bug is likely to carry a malicious payload which when copied would divert the remote code execution (RCE) to an address controlled by the attacker.

According to Check Point, Facebook responded quickly to their findings and released a patch fixing the issue on all platforms. The patch was released in February, which means it must have been downloaded by the majority of Instagram users by now.

Most app developers rely on third party libraries for common and often complicated tasks such as image processing and sound processing to save time so they can focus more on other areas which matter more to users like user experience (UX). As a result, many of the codes are often copied without any modifications. Any vulnerability in the primary code gets automatically integrated into the app, until it's detected, like in this case.

Researchers at Check Point warn that the Mozjpeg project on Instagram is not a singular use case. The Mozilla-based project is still widely used by various apps.

Check Point recommends, developers can reduce the attack surface by restricting the receiver to a small number of supported image formats.

Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Click here to read the Mint ePaperMint is now on Telegram. Join Mint channel in your Telegram and stay updated with the latest business news.

Close
x
×
My Reads Redeem a Gift Card Logout