Security Market Segment LS
Friday, 25 September 2020 08:13

Check Point discloses details of image-handling flaw in Instagram Featured

Check Point discloses details of image-handling flaw in Instagram Image by Gerd Altmann from Pixabay

Check Point Research, the threat intelligence arm of Israeli security outfit Check Point Software Technologies, has disclosed details of a remotely exploitable vulnerability in the popular photo- and video-sharing app Instagram, that has close to a billion users.

An attacker could exploit a flaw in a library used by Instagram by sending a specially crafted image to an intended victim's device, the company said. The attacker would have full access to the victim's Instagram messages and images, allowing him/her to post or delete images. Access to contacts, camera and location data was also made possible by this hack.

A detailed technical post on the flaw has been written by researcher Gal Elbaz.

While most mobile apps restrict permissions in order to ensure safety, Instagram is one of those that does not stint on demanding permissions to most of a phone's functions.

The flaw in question was in the Mozjpeg library that Instagram uses as a JPEG format decoder for images.

"The target user saves the image on their handset, and when they open the Instagram app, the exploitation takes place, allowing the attacker full access to any resource in the phone that is pre-allowed by Instagram," the company said.

"These resources include contacts, device storage, location services and the device camera. In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will.

"This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.

"At a basic level, this exploit can be used to crash a user’s Instagram app, effectively denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data."

Check Point said it had disclosed details of the vulnerability to Facebook well ahead of the release of the details, so that the social media company could issue a patch.

Yaniv Balmas, head of Cyber Research at Check Point, said: “After conducting this research, two takeaways surfaced. Firstly, third-party code libraries can be a serious threat. We strongly urge developers of software applications to vet the third-party code libraries they use to build their application infrastructures and make sure their integration is done properly. Third-party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?

“Secondly, people need to take the time to check the permissions an application has on their device. This 'application is asking for permission' message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it.

"But in practice this is one of the strongest lines of defence everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?”

Elbaz said his blog post described how image parsing code, as a third-party library, ended up being the weakest point in Instagram’s large system.

"Fuzzing the exposed code turned up some new vulnerabilities which have since been fixed. It is likely that, given enough effort, one of these vulnerabilities can be exploited for RCE in a zero-click attack scenario," he said.

"Unfortunately, it is also likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating-system libraries and third-party libraries, is absolutely necessary. We also recommend reducing the attack surface by restricting the receiver to a small number of supported image formats."

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News