Facebook removes Instagram bug allowing attackers to spy on app users
Instagram has a major vulnerability, traced CVE-2020-1895 and issued a CVSS score of 7.8, which could lead to remote access execution and hijack of SmartPhones camera, microphone and more.
Check Point described this vulnerability as a “critical vulnerability in Instagram’s image processing,” allowing the attackers to break into the victims’ phone only by sending him/her a specially crafted image via a common messaging platform or over email.
Facebook, the owner of the Instagram platform, explained this vulnerability as:
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128”.
Issue was with how Instagram handles third-party libraries used for image processing. Instagram improperly utilized Mozijped, an open source JPEG decoder, to handle image uploads.
As per Check Point, crafted image file contains a payload which is able to harness app’s extensive permission list on Android devices and grant access to all resources on the phone that is allegedly allowed to Instagram.
Check Point said, by exploiting this vulnerability, the hackers could gain access to phone contacts, camera, location/GPS data and locally stored files and lead to privacy, security and identity theft issues. Also, it could be used to harm users through the insta app itself as the attackers get the full control over the app. They can delete posts, photos without permission, change accounts settings and intercept direct message and read them.
“Unfortunately, it is also likely that other bugs remain or will be introduced in the future. As such, continuous fuzz-testing of this and similar media format parsing code, both in operating system libraries and third party libraries, is absolutely necessary. We also recommend reducing the attack surface by restricting the receiver to a small number of supported image formats”.
The vulnerability was detected very earlier in this year and it was time before when the Fabebook fixed this issue. So, this social media app is safe at now. The reason for public exploitation at now is because cybersecurity researchers wanted to give time to Instagram to update their apps.
Experts also recommend users to use the latest version of the app and keep looking for the update always in future.