An attacker could exploit a flaw in a library used by Instagram by sending a specially crafted image to an intended victim's device, the company said. The attacker would have full access to the victim's Instagram messages and images, allowing him/her to post or delete images. Access to contacts, camera and location data was also made possible by this hack.
A detailed technical post on the flaw has been written by researcher Gal Elbaz.
While most mobile apps restrict permissions in order to ensure safety, Instagram is one of those that does not stint on demanding permissions to most of a phone's functions.
"The target user saves the image on their handset, and when they open the Instagram app, the exploitation takes place, allowing the attacker full access to any resource in the phone that is pre-allowed by Instagram," the company said.
"These resources include contacts, device storage, location services and the device camera. In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will.
"This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.
"At a basic level, this exploit can be used to crash a user’s Instagram app, effectively denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data."
Check Point said it had disclosed details of the vulnerability to Facebook well ahead of the release of the details, so that the social media company could issue a patch.
Yaniv Balmas, head of Cyber Research at Check Point, said: “After conducting this research, two takeaways surfaced. Firstly, third-party code libraries can be a serious threat. We strongly urge developers of software applications to vet the third-party code libraries they use to build their application infrastructures and make sure their integration is done properly. Third-party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?
“Secondly, people need to take the time to check the permissions an application has on their device. This 'application is asking for permission' message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it.
"But in practice this is one of the strongest lines of defence everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?”
Elbaz said his blog post described how image parsing code, as a third-party library, ended up being the weakest point in Instagram’s large system.
"Fuzzing the exposed code turned up some new vulnerabilities which have since been fixed. It is likely that, given enough effort, one of these vulnerabilities can be exploited for RCE in a zero-click attack scenario," he said.
"Unfortunately, it is also likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating-system libraries and third-party libraries, is absolutely necessary. We also recommend reducing the attack surface by restricting the receiver to a small number of supported image formats."