Security researchers at Check Point just-published research, identifying a Remote Control Execution (RCE) vulnerability in Instagram. The attacker would only need a single, malicious image to execute the attack. Check Point researchers summarised the attack method to three steps:
In effect, the vulnerability gives the attacker full control over the Instagram app and turns it into a spy tool with the power to create actions on behalf of the user: reading all direct messages on the Instagram account, deleting, or posting photos at will, manipulating account profile details. Since the Instagram application is known to have extensive permissions that are gateways to features and functionality on one’s phone, an attacker could use the vulnerability to access phone contacts, location data, phone cameras, and files stored on the device, turning the phone into a perfect spying tool. At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.
This is an interesting, but also worrying exploit. With social media accounts containing much sensitive information, they are lucrative targets for attackers.
In order for this particular attack to be successful, a picture needs to be sent to a target and saved to their phone. Therefore, one of the best ways to defend against this would be for people to be wary of incoming images, especially from unknown parties. It is rumored that Jeff Bezos phone was also compromised due to receiving a malware-laced video via Whatsapp.
Secondly, users can disable the auto-saving of images that are received via social media such as Whatsapp.
For influencers, or brand managers who use Instagram or other social media in a professional capacity, it\’s worth considering using separate devices for work (i.e. Instagram) and personal social media uses. This would apply to not just the influencers and celebrities themselves, but also any staff that support them and have access to their accounts.
This vulnerability shows just how vulnerable our online accounts are. By allowing remote access to an Instagram account, the attackers could use this for any purpose they wish, including blackmail or the compromise of high-profile or corporate Instagram accounts. Instagram must work as quickly as possible to patch this vulnerability – Service providers have a duty of care to their users to follow security best practices — the discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink of their approach to security.