News & Analysis

Here’s How Instagram Can Turn Into a Spy

Instagram is a social platform of choice for celebrities as well as brand managers in the world of digital media and advertising. With more than 100 million pictures getting uploaded each day to the platform, imagine what would happen if a hacker decided to have some fun? Possibly make some too from the venture? 

No, we are not talking about a spy movie or a whodunnit here. Researchers at CheckPoint are certain that this could be a real scenario if the Facebook-owned Instagram doesn’t care to plug a critical vulnerability on the app. In fact, the hacker could even turn the smartphone into a very good spying tool using the Instagram app. 

And, all that they need to do to achieve this is send a malicious file, which when opened and saved on the app, would provide the hacker with full access of the victim’s messages as well as images on Instagram. They would be able to alter existing images, post new ones, delete some and virtually play around with a celebrity’s reputation. 

There’s no need to worry though! CheckPoint has taken steps to work with Facebook and Instagram to keep the users safe. 

What are the apps on your phone permitted to do?

Wherever we go, our mobile phones usually go with us, to keep us in touch with families, loved ones and our work, too. Of course, this is also why mobiles are an attractive target for hackers.  Not only can they steal data and credentials from our phones, but they can also use them for spying on us: tracking our location, listening to conversations, and accessing our data and messages. 

Fortunately, all modern mobile operating systems include several layers of protection against this type of malicious activity. These protections usually rely on the basic concept of ‘application isolation’ – even if someone was able to hack a specific application, they would still be confined to that application alone, along with its strict permissions, and would not be able to extend their hacking attempt any further.

The key term here is “strict permissions” – for example, a map application should be able to access your location, but should not have access to your microphone; a dating app should be able to access your camera and nothing else, and so on.

But what happens when we’re talking about an application that has extensive permissions on your device?  If the application is hacked, the hacker will have easy access to your GPS data, camera, microphone, contacts, and more.  

Fortunately, there isn’t a huge list of apps that have such extensive permissions on users’ devices.   One example is Instagram. Given its popularity and wide-ranging permissions, we decided to review the security of Instagram’s mobile app for both Android and iOS operating systems. 

What did CheckPoint find?

This is how CheckPoint describes the process… Our research revealed a critical vulnerability that might allow the attackers what is technically referred to as – remote code execution (RCE). This vulnerability can allow an attacker to perform any action they wish in the Instagram app (yes, even if it is not actually a part of the application logic or features). Since the Instagram app has very extensive permissions, this may allow an attacker to instantly turn the targeted phone into a perfect spying tool – putting the privacy of millions of users at serious risk.

What exactly happened out here?

So how does such a popular application include vulnerabilities, when huge amounts of time and resources are invested in developing it? 

The answer is that most modern app developers do not actually write the entire application on their own: if they did so it would take years to write an application. Instead, they use 3rd party libraries to handle common (and often complicated) tasks such as image processing, sound processing, network connectivity, and so on. This frees the developers to handle only the coding tasks, which represent the apps core business logic. However, this relies on those 3rd party libraries being completely trustworthy and secure.

The company went about trying to examine the 3rd party libraries used by Instagram, And the vulnerability they found was in the way that Instagram used Mozjpeg- an open source project used by Instagram as its JPEG format image decoder for images uploaded to the service. 

A bad image: hacking and taking over the user’s mobile Instagram account

In the attack scenario we describe in our research, an attacker can simply send an image to their target victim via email, WhatsApp or another media exchange platform. The target user saves the image on their handset, and when they open the Instagram app, the exploitation takes place, allowing the attacker full access to any resource in the phone that is pre-allowed by Instagram. 

These resources include contacts, device storage, location services and the device camera. In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will.  This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious. 

At a basic level, this exploit can be used to crash a user’s Instagram app, effectively denying them access to the app until they delete it from their device and reinstall it, causing inconvenience and possible loss of data.  

Thereafter, CheckPoint approached Facebook and the Instagram team. Facebook’s advisory was very responsive and helpful, they have described this vulnerability as an “Integer Overflow leading to Heap Buffer Overflow” and issued a patch to remediate the issue on the newer versions of the Instagram application on all platforms. 

The patch for this vulnerability has already been available for 6 months prior to this publication, giving time to the majority of users to update their Instagram applications, thus mitigating the risk of this vulnerability being exploited. We strongly encourage all Instagram users to ensure they are using the latest Instagram app version and to update if any new version is available. 

Leave a Response