Instagram Had a Major Bug That Could Have Given Hackers Full Control of Your Account

Instagram Had a Major Bug That Could Have Given Hackers Full Control of Your Account

A Check Point Research discovery has underlined a remote execution bug, where hackers could use an image file to get access to all your Instagram Direct Messages, post from your account and also detect your phone location.

Instagram reportedly had a major bug that could have allowed hackers to remotely gain full access to your account. A breach of this nature could have allowed anyone gaining access to read and manipulate your Instagram direct messages and post anything from your Instagram account. Making matters worse, the bug could have allowed attackers to also get access to your entire contacts list, along with your phone camera and location data. Thankfully, Check Point’s researchers detected and alerted Facebook about the bug earlier this year, which was then patched with critical urgency.

The bug in question lay in Instagram’s open source JPEG image decoder, Mozjpeg. To carry out this remote hack, attackers simply sent Instagram users a JPEG image file. If unsuspecting users downloaded the file and open the Instagram app again, the remote access tool (RAT) malware come into effect, and attackers could remotely escalate their privilege on the compromised device based on all the device permissions that Instagram has on it. For the app to function, Instagram typically takes access for camera, user location, microphone, storage and more, all of which are believed to have been vulnerable to the flaw.

According to Check Point, once an account was compromised, the user’s Instagram app would keep crashing, until the app would be uninstalled with a full data erase, and restored. Giving the critical nature of the flaw, Facebook is said to have urgently issued a flaw for this bug about six months ago. The flaw affected both the Android and iOS apps of Instagram, and was detected when Check Point researchers were exploring potential vulnerabilities in Instagram’s third party project integrations – of which Mozjpeg was one of them.

Flaws such as these are increasingly common, particularly with an increasing frequency of cyber attacks across all services. Recently, in light of increasing vulnerability disclosures, WhatsApp introduced a security disclosures page, where it will lay down key flaws that have been patched by them in the past. Given that Facebook, WhatsApp and Instagram work with similar principles, it remains to be seen if Instagram’s hierarchy decides to introduce a similar disclosure page as well.

Next Story