Here’s how we found the vulnerability, and worked with Facebook and Instagram to close it to keep users safe.
What are the apps on your phone permitted to do?
The key term here is “strict permissions” – for example, a map application should be able to access your location, but should not have access to your microphone; a dating app should be able to access your camera and nothing else, and so on.
But what happens when we`re talking about an application that has extensive permissions on your device? If the application is hacked, the hacker will have easy access to your GPS data, camera, microphone, contacts, and more.
Fortunately, there isn’t a huge list of apps that have such extensive permissions on users’ devices. One example is Instagram. Given its popularity and wide-ranging permissions, we decided to review the security of Instagram’s mobile app for both Android and iOS operating systems.
What did we find?
Modus operandi
So how does such a popular application include vulnerabilities, when huge amounts of time and resources are invested in developing it?
Our modus operandi for this research was to examine the 3rd party libraries used by Instagram, And the vulnerability we found was in the way that Instagram used Mozjpeg- an open source project used by Instagram as its JPEG format image decoder for images uploaded to the service.
These resources include contacts, device storage, location services and the device camera. In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will. This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.
At a basic level, this exploit can be used to crash a user’s Instagram app, effectively denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.
Responsible disclosure & Protection
We have responsibly disclosed our findings to Facebook and the Instagram team. Facebook’s advisory was very responsive and helpful, they have described this vulnerability as an “Integer Overflow leading to Heap Buffer Overflow" and issued a patch to remediate the issue on the newer versions of the Instagram application on all platforms.
The patch for this vulnerability has already been available for 6 months prior to this publication, giving time to the majority of users to update their Instagram applications, thusmitigating the risk of this vulnerability being exploited. We strongly encourage all Instagram users to ensure they are using the latest Instagram app version and to update if any new version is available.
Check Point's SandBlast Mobile (SBM) provides full visibility into mobile risks, with advanced threat prevention capabilities. With the market’s highest threat catch rate, users of SBM stay protected from malware, phishing, man-in-the-middle attacks, OS exploits, and more. Intuitive to use, users only hear from SandBlast Mobile if they are under attack.