Instagram photo flaw could have helped hackers spy via users’ cameras and microphones

A critical vulnerability in Instagram’s Android and iOS apps could have allowed remote attackers to run malicious code, snoop on unsuspecting users, and hijack control of smartphone cameras and microphones.

The security hole, which has been patched by Instagram owner Facebook, could be exploited by a malicious hacker simply sending their intended victim a boobytrapped malicious image file via SMS, WhatsApp, email or any other messaging service.

When Instagram is subsequently opened, a heap overflow would occur in the app’s image-processing library allowing – according to a blog post by security researchers at Check Point – attackers to spy on private messages, post and delete photos, as well as access the phone’s contacts, camera and location data.

“In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will. This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.”

According to the researchers, the most basic exploitation of the flaw would cause the Instagram app to crash – preventing users from accessing their account until the app is deleted from their device and reinstalled.

Specifically, the vulnerability was in the way that the Instagram app used a third-party JPEG processing library called Mozjpeg. Sloppily, Instagram misused the open-source code when handling images opening a window of opportunity for remote code execution to take place.

Fortunately, the researchers who discovered the serious security hole believe in responsible disclosure, and worked with Facebook and Instagram to ensure that the vulnerability was patched properly.

It’s notable that details of the vulnerability have only been made public now, some six months after a patched version of Instagram was first rolled out. That underlines just how seriously the security hole was regarded by Instagram and the researchers who found it.

Because of the significant risk that a sophisticated attacker – perhaps state-sponsored – might attempt to exploit the flaw to spy upon high-risk targets, public disclosure has only taken place now, when it is believed that the majority of users will have updated their Instagram apps.

Of course, if you haven’t updated your Instagram app in the last six months or so then you really should take action now. Either remove the Instagram app from your smartphone entirely, or update it to the latest version from the official Google Play or iOS app stores.

Facebook confirmed that the security vulnerability had been fixed and that it hadn’t seen any evidence of malicious abuse of the flaw.

More information about the vulnerability can be found in a technical blog post published by the researchers.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

18 thoughts on “Instagram photo flaw could have helped hackers spy via users’ cameras and microphones

  1. Link exchange is nothing else except it is just placing the other person’s webpage link on your page at suitable place and other person will
    also do similar in favor of you.

  2. Its like you read my mind! You appear to know so much
    about this, like you wrote the book in it or something.
    I think that you could do with a few pics to drive the message home a
    bit, but other than that, this is wonderful blog. An excellent read.
    I’ll definitely be back.

  3. Nice blog here! Also your website loads up fast!
    What host are you using? Can I get your affiliate
    link to your host? I wish my site loaded up as fast as yours lol

  4. Very nice post. I just stumbled upon your weblog and wanted to
    say that I have really enjoyed browsing your blog posts. In any case I will be subscribing to your rss feed
    and I hope you write again soon!

  5. Great post. I used to be checking continuously this
    blog and I’m inspired! Extremely helpful information particularly the ultimate part 🙂 I handle such information much.
    I was looking for this particular info for a very lengthy time.

    Thank you and best of luck.

  6. Admiring the dedication you put into your blog and in depth information you provide.

    It’s good to come across a blog every once in a while that isn’t the same unwanted rehashed information. Wonderful read!
    I’ve saved your site and I’m adding your RSS feeds to my Google account.

  7. I truly love your website.. Great colors & theme. Did you develop this web site yourself?

    Please reply back as I’m trying to create my own personal site and would love to
    know where you got this from or what the theme is called.
    Thanks!

  8. Ahaa, its nice discussion about this paragraph at
    this place at this website, I have read all that, so
    at this time me also commenting here.

  9. I have read so many articles or reviews concerning the
    blogger lovers but this article is actually a nice post, keep it up.

  10. Undeniably consider that that you said. Your favorite reason seemed to be at the web the simplest factor to understand of.

    I say to you, I certainly get irked whilst folks think about issues that they plainly do not
    understand about. You controlled to hit the nail upon the top
    as well as outlined out the entire thing without having side effect , folks could take a signal.
    Will probably be back to get more. Thanks

Leave a Reply

Your email address will not be published.

Skip to content