Have you ever wonder how hackers could take advantage of an Instagram bug to access an account? They can pass over your credentials, email, and two-factor authentication… But what if they could hack your smartphone with the app?

This was possible thanks to a now patched RCE vulnerability

It only took an image file to trigger. 

CheckPoint’s researchers were the ones behind the disclosure of this bug. 

What Instagram Bug Was Used to Acess Accounts?

While it was privately disclosed to Facebook (parent company of Instagram), there’s some information available about what led Hackers to leverage on the social media app to hijack smartphone cameras and microphones. 

The security flaw tracked as CVE-2020-1895 was described as an “image processing vulnerability.” Facebook’s security advisor reveals that it got a 7.8 CVSS score.

All of this sounds technical, complex, and somehow, dangerous… But how exactly did the Instagram bug opened the gates to hackers?

They (the hackers) were able to take remote control of targeted devices by sending a specially crafted email to victims via WhatApp, email, or SMS.

The attack would take place and trigger once the malicious image saved on the device.

It doesn’t matter if this image is download manually or automatically. It’s just a matter of time for you to open the app to execute its code. This one is powered due to how Instagram handles 3rd-party libraries for image processing. 

Mozjpeg (open-source JPEG decoder) is the one CheckPoint focuses on for their research. This tool was developed by Mozilla and it’s now the one the social media app uses to handle multimedia uploads. 

Mozjpeg (open-source JPEG decoder)

Mozjpeg (open-source JPEG decoder)

The team explains that: “a prepared image file can be programmed to jump over an extensive list of permissions that all smartphone devices use to protect their users.”

Hackers could auto-grant access to mobile phones with the billion-user platform. 

Where do hackers get access to? We aren’t talking about the gallery alone. 

Someone capable enough to use this exploit could also get into the phone contacts, GPS, and practically to all stored files. 

But if this wasn’t enough… This gets worrying for the company when they discover hackers can also use the RCE vulnerability to infiltrate into the DM inbox or change account settings at will (add or delete photos, for example).

Check Point concludes with more concerning facts:

“The exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it. In some cases, causing data loss.”

They confirm that this is not as new as end-users and readers believe. 

In fact, the vulnerability was already present six months ago. But the disclosure was intended to give time for users to accept the latest security updates. 

In which Facebook responds to the subject: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”

Which it leaves very clear to all of us (especially to you) that we cannot trust our information to the biggest companies. This is not the first time and it won’t be the last one either.

Of course, we cannot leave without taking something else besides fear of social media.

In the first place, I let you know that you can count on us, our Houston-based team of IT experts, at any time (24/7). Be it for consultation, protection, or troubleshooting.

And last, but not least, you can follow the safety tips that CheckPoint’s head of cyber research provide: 

  1. Update mobile applications and operating systems! – Critical security patches are being sent to you every week because of important reasons.

  2. Monitor permission-asking applications – Developers will do their best to ask as much from you as possible (especially when the tool or app is “free”).

  3. Think twice about approvals – Take a few seconds to think and ask yourself: do they actually need this from me? Do not approve, if the answer is NO.