Expert Comments

Security Experts On Instagram bug lets hackers ‘snoop on you through your phone’ by sending a single image file

Expert(s): Security Experts
Expert(s): Security Experts Published: Last Updated on

Security researchers at Check Point published research today, identifying a Remote Control Execution (RCE) vulnerability in Instagram. The attacker would only need a single, malicious image to execute the attack. Check Point researchers summarised the attack method to three steps:

  1. The attacker sends an image to a target victim’s email, WhatsApp or other media exchange platform.
  2. The picture is saved to the user’s mobile phone. This is can be done automatically or manually depending on the sending method, the mobile phone type, and configuration. A picture sent via WhatsApp for example will be saved to the phone automatically by default on all platforms.
  3. The victim opens the Instagram app, triggering the exploitation, giving the attacker full access for remote takeover

In effect, the vulnerability gives the attacker full control over the Instagram app and turns it into a spy tool with the power to create actions on behalf of the user: reading all direct messages on the Instagram account, deleting, or posting photos at will, manipulating account profile details. Since the Instagram application is known to have extensive permissions that are gateways to features and functionality on one’s phone, an attacker could use the vulnerability to access phone contacts, location data, phone cameras, and files stored on the device, turning the phone into a perfect spying tool. At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.

Research details: https://research.checkpoint.com/2020/instagram_rce-code-execution-vulnerability-in-instagram-app-for-android-and-ios/

Experts Comments

Dot Your Expert Comments
Chris Hauk
September 26, 2020
Consumer Privacy Champion
Pixel Privacy

Users need to keep the apps on their mobile devices and computer up to date.
This flaw could have turned the user's device into a tool that could've been used to spy on them. Perhaps the worst possibility is that it could've been used to ruin the reputations of Instagram users, via the manipulation of a user's Instagram profile. Happily, the security hole was plugged after Instagram owner Facebook was notified of the flaw. Even though the flaw was patched, it underscores the risks of using any app that shares personal information on the web. Users need to keep the.....Read More
This flaw could have turned the user's device into a tool that could've been used to spy on them. Perhaps the worst possibility is that it could've been used to ruin the reputations of Instagram users, via the manipulation of a user's Instagram profile. Happily, the security hole was plugged after Instagram owner Facebook was notified of the flaw. Even though the flaw was patched, it underscores the risks of using any app that shares personal information on the web. Users need to keep the apps on their mobile devices and computer up to date and to be aware of the security risks involved with the permissions they give to apps like this.  Read Less
Tim Erlin
September 26, 2020
VP of Product Management and Strategy
Tripwire

The more these apps are integrated into business and daily life, the more critical they become.
We might think of social media apps as frivolous, but the more these apps are integrated into business and daily life, the more critical they become. Social media, including Instagram, are conduits for news and information. They’re also conduits to personal information stored on mobile devices. Targeted takeover of high profile accounts is one possibility, but in this age of disinformation campaigns, there’s clear value in taking over the average consumer’s account for the purposes of.....Read More
We might think of social media apps as frivolous, but the more these apps are integrated into business and daily life, the more critical they become. Social media, including Instagram, are conduits for news and information. They’re also conduits to personal information stored on mobile devices. Targeted takeover of high profile accounts is one possibility, but in this age of disinformation campaigns, there’s clear value in taking over the average consumer’s account for the purposes of spreading propaganda.  Read Less
Jake Moore
September 25, 2020
Cybersecurity Specialist
ESET

There is always a risk when you give up any level of access control.
Allowing permissions in apps is something most people don’t tend to think twice about, but the truth is that there is always a risk when you give up any level of access control. Where possible, it remains safer to disable all app permissions, like the ability for apps to save photos to the device, access the camera, and use the microphone. Privacy and security starts by holding back on those permissions. This instance is a particularly dangerous exploitation that has fortunately been.....Read More
Allowing permissions in apps is something most people don’t tend to think twice about, but the truth is that there is always a risk when you give up any level of access control. Where possible, it remains safer to disable all app permissions, like the ability for apps to save photos to the device, access the camera, and use the microphone. Privacy and security starts by holding back on those permissions. This instance is a particularly dangerous exploitation that has fortunately been patched, albeit a number of months after first located. Buffer overflow attacks are nothing new – and, ideally, should have been located by the in-house developers. With the amount of control that this malware was allowed, it could have been catastrophic if used by state actors.  Read Less
Jayant Shukla
September 25, 2020
CTO and Co-Founder
K2 Cyber Security

Open source code is as likely to have vulnerabilities as any other code.
This latest discovered vulnerability in Instagram has many important lessons for enterprise security. First, the flaw is a Remote Code Execution (RCE) vulnerability, one of the most dangerous vulnerabilities because it gives the cybercriminal the ability to run arbitrary code on the exploited system. As such, it should be high on the list of vulnerabilities that are tested for in applications developed by enterprises. Second, the flaw is based on open source code, which since the pandemic.....Read More
This latest discovered vulnerability in Instagram has many important lessons for enterprise security. First, the flaw is a Remote Code Execution (RCE) vulnerability, one of the most dangerous vulnerabilities because it gives the cybercriminal the ability to run arbitrary code on the exploited system. As such, it should be high on the list of vulnerabilities that are tested for in applications developed by enterprises. Second, the flaw is based on open source code, which since the pandemic began, has been used even more widely than ever by enterprises to get applications to production more quickly. Open source code is as likely to have vulnerabilities as any other code, so enterprises need to treat open-source code the same as any in-house developed code, with thorough testing to ensure no vulnerabilities exist. Third, and finally, the vulnerability is a good reminder to keep software and operating systems up to date and patched, as this vulnerability was patched after it was reported, but before the CVE was released to the public. Keeping your software up to date keeps systems and devices safe from cybercriminals using easy exploits with known CVEs.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...

Expert Reaction On Private Data Leaked From Far-right Platform Gab