Facebook patched a major vulnerability in Instagram, which was large enough to take over the whole smartphone. The issue was found in the android application of Instagram.
The issue privately told to Facebook, the owner of Instagram, by Check Point was present in a third party project Mozpeg.
Mozpeg is a third-party open source project utilized by Instagram in its software. It is used to reduce the size of the jpeg images while retaining the quality and compatibility of the image. The vulnerability is said to be found in the way Instagram uses Mozpeg in its image processing.
The bug could be exploited by simply sending a malicious image to the target phone and tricking them into downloading it.
This type of attack is known as Remote Code Execution(RCE) attack. This attack allows the attacker to take full access of victims device, delete files, steal information, and even carry out a full-fledged Distributed Denial of Service(DDoS) attack.
The image sent through email, WhatsApp, or any other media needs to be opened once. Once the image is saved on a local device, opening Instagram was all which was needed for the malicious code to execute and hijack the smartphone.
Once the malicious code gets executed, the image would provide the attacker, the access to all the resources pre-allowed to the Instagram mobile app. To name some, this would make the contact list, camera, location, and storage accessible to the attacker.
Tracked as CVE-2020-1895 with a CVSS score of 7.8, the vulnerability was a heap overflow problem, Facebook’ sook’s advisory t” am.
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 220.127.116.11 “128,” the advisory says.
The bug could also be used to access personal chat, post or delete photos, or change settings without permission. The exploit could make the app crash, Check Point added.
A similar kind of vulnerability was discovered in WhatsApp last year in version 2.19.230 which was officially patched in the 2.19.244 version of the app. This exploit worked in the android version 8.1 and 9.0 but not in 8.0 or below, said the discoverer who goes by the name Awakened.
The patch was, however, released six months ago, the knowledge was kept secret till now to allow the users to update the app and avoid any potential attacker to exploit the vulnerability.
The vulnerability remains unexploited, reported Facebook. No comments were made by Facebook on the matter other than publishing an advisory.
All the users are advised to update all their apps to the latest to minimize the possibility of any compromise. It is also advised to give minimum privileges to apps that contain important or personal data of the user.