Security researchers at Check Point identified a critical vulnerability in Instagram, the popular photo and video sharing app with over 1 billion users worldwide. The vulnerability would have given an attacker the ability to take over a victim’s Instagram account and turn their phone into a spying tool, simply by sending them a malicious image file. When the image is saved and opened in the target’s Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data.

How the attack works

To exploit the vulnerability, the attacker would only need a single, malicious image. Check Point researchers summarized the attack method in three steps:

  • Attacker sends a malicious image to a target user’s email, WhatsApp or other media exchange platform.
  • Picture is saved to the user’s cellphone. This is can be done automatically or manually depending on sending method, the cellphone type, and configuration. A picture sent via WhatsApp for example will be saved to the phone automatically by default on all platforms.
  • Victim opens Instagram app, triggering the exploitation, giving the attacker full access for remote takeover.

Phone as spying tool using Instagram

At the most basic level, the exploitation could be used to crash a user’s Instagram app

The vulnerability gives the attacker full control over the Instagram app, enabling the hacker to take actions without the user’s consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details.

The Instagram application also has extensive permissions that are gateways to other functions on users’ phones, so an attacker could also use the vulnerability to access phone contacts, location data, phone camera and files stored on the device, turning the phone into a perfect spying tool.

At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.

Danger in using 3rd party code

Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder used by Instagram

Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder which is used by Instagram to upload images to the application. As a result, researchers are warning app developers about the potential risks of using 3rd party code libraries in their apps without checking for security flaws.

Application developers frequently do not write the entire application on their own. Instead, developers save time by using 3rd party code to handle common tasks such as image and sound processing, network connectivity, and more.

However, 3rd party code often contains vulnerabilities which could lead to security flaws in the overall app, as in this case with Instagram.

Responsible disclosure

Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram

Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram. Facebook promptly acknowledged the issue, describing the vulnerability as an “Integer Overflow leading to Heap Buffer Overflow".

Facebook issued a patch to remediate the vulnerability on newer versions of the Instagram application on all platforms. To ensure enough Instagram users updated their applications, therefore significantly mitigating the security risk, Check Point researchers waited 6 months to publish these findings.

Code libraries

We strongly urge developers of software applications to vet the 3rd party code libraries they use"

Yaniv Balmas, Head of Cyber Research at Check Point said: “This research has two main takeaways. First, 3rd party code libraries can be a serious threat. We strongly urge developers of software applications to vet the 3rd party code libraries they use to build their application infrastructures and make sure their integration is done properly. 3rd party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?

Second, people need to take the time to check the permissions an application has on your device. This “application is asking for permission” message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?”

Facebook has issued the following comment: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”

Safety tips

Check Point’s Yaniv Balmas provided the following safety tips for people:

  • Update! Update! Update! Make sure one regularly updates their cellphone application, and the cellphone operating systems. Dozens of critical security patches are being shipped out in these updates on a weekly basis, and each one can potentially have severe impact on one’s privacy.
  • Monitor permissions. Pay close attention to applications asking for permissions. It`s very easy for app developers to just ask the users for excessive permissions, and it’s very easy for users to just click 'Allow' without thinking twice.
  • Think twice for approvals. Take a few seconds to really think before one approves anything. Ask: “does one really want to give this application this kind of access, does one really need it?" if the answer is no, DO NOT APPROVE.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

How Can Remote or Internet-Based Training Benefit Security?
How Can Remote or Internet-Based Training Benefit Security?

Internet-based training has long provided a less-expensive alternative to in-person classroom time. There are even universities that provide most or all of their instruction online. However, the COVID-19 pandemic has expanded acceptance even more and increased usage of internet-based meeting and learning tools. We asked this week’s Expert Panel Roundtable: How can remote or Internet-based training benefit the physical security market?

How is AI Changing the Security Market?
How is AI Changing the Security Market?

Artificial intelligence is more than just the latest buzzword in the security marketplace. In some cases, smarter computer technologies like AI and machine learning (ML) are helping to transform how security operates. AI is also expanding the industry’s use cases, sometimes even beyond the historic province of the security realm. It turns out that AI is also a timely tool in the middle of a global pandemic. We asked this week’s Expert Panel Roundtable: How is artificial intelligence (AI) changing the security market?

Moving to Sophisticated Electric Locking
Moving to Sophisticated Electric Locking

In part one of this feature, we introduced the shotbolt – a solenoid actuator – as the workhorse at the heart of most straightforward electric locking systems. Shotbolts remain at the core of most sophisticated electric locking solutions as well. But they are supplemented by materials and technologies that provide characteristics suited to specialist security applications. Here we look at some more demanding electric locking applications and contemporary solutions. Preventing forced entry Where the end of the shotbolt is accessible, the electric holding force can be overcome by physical force. That’s why anti-jacking technology is now a frequent feature of contemporary electric solenoid lock actuators. Anti-jacking, dead-locking or ‘bloc’ technology (the latter patented by MSL) is inherent to the way the locking assembly is designed to suit the requirements of the end application. The patented bloc anti-jacking system is highly effective and incorporated into many MSL shotbolts deployed in electric locking applications. The bloc technology uses a ring of steel balls in a shaped internal housing to physically jam the actuated bolt in place. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm Real life applications for MSL anti-jacking and bloc-equipped shotbolts include installation in the back of supermarket trucks to secure the roller shutter. Once locked from the cab, or remotely using radio technology, these shutters cannot be forced open by anyone with ‘undesirable intentions’ armed with a jemmy. A range of marine locks is widely used on Superyachts for rapid lockdown security from the helm. While anti-jacking features are an option on these shotbolts, consideration was given to the construction materials to provide durability in saltwater environments. Marine locks use corrosion-proof stainless steel, which is also highly polished to be aesthetically pleasing to suit the prestigious nature of the vessel while hiding the innovative technology that prevents the lock being forced open by intruders who may board the craft. Rotary and proportional solenoids sound unlikely but are now common A less obvious example of integrated technology to prevent forced override is a floor lock. This lock assembly is mounted beneath the floor with round-top stainless-steel bolts that project upwards when actuated. They are designed to lock all-glass doors and are arguably the only discreet and attractive way to lock glass doors securely. In a prestigious installation at a historic entranceway in Edinburgh University, the floor locks are remotely controlled from an emergency button behind the reception desk. They act on twin sets of glass doors to quickly allow the doors to close and then lock them closed with another set of subfloor locks. No amount of stamping on or hitting the 15mm protruding bolt pin will cause it to yield, thus preventing intruders from entering. Or leaving! Explosion proofing In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosion. For example, remote electric locking is used widely on oil and gas rigs for stringent access control, general security and for emergency shutter release in the event of fire. It’s also used across many industrial sectors where explosion risks exist, including flour milling, In many environments, electric locking technology must be ATEX certified to mitigate any risk of explosionpowder producers, paint manufacture, etc. This adds a new dimension to the actuator design, demanding not only intrinsically safe electrical circuits and solenoid coils, but the careful selection of metals and materials to eliminate the chance of sparks arising from moving parts. Resilience under pressure The technology boundaries of solenoids are always being pushed. Rotary and proportional solenoids sound unlikely but are now common. More recently, while not directly related to security in the traditional sense, proportional solenoid valves for accurately controlling the flow of hydrogen and gases now exist. Magnet Schultz has an extensive and somewhat innovative new range of hydrogen valves proving popular in the energy and automotive sectors (Fig. 2-6). There’s a different kind of security risk at play here when dealing with hydrogen under pressures of up to 1050 bar. Bio security Less an issue for the complexity of locking technology but more an imperative for the effectiveness of an electric lock is the frequent use of shotbolts in the bio research sector. Remote electric locking is commonplace in many bioreactor applications. Cultures being grown inside bioreactors can be undesirable agents, making 100% dependable locking of bioreactor lids essential to prevent untimely access or the unwanted escape of organisms. Again, that has proven to be topical in the current climate of recurring coronavirus outbreaks around the world. More than meets the eye In part one, I started by headlining that there’s more to electric lock actuation in all manner of security applications than meets the eye and pointed out that while electric locking is among the most ubiquitous examples of everyday security, the complexity often involved and the advanced technologies deployed typically go unnoticed.Integrating the simplest linear actuator into a complex system is rarely simple For end users, that’s a very good thing. But for electro-mechanical engineers designing a system, it can present a challenge. Our goal at Magnet Schultz is to provide a clearer insight into today’s electric locking industry sector and the wide range of locking solutions available – from the straightforward to the specialized and sophisticated. Integrating the simplest linear actuator into a complex system is rarely simple. There’s no substitute for expertise and experience, and that’s what MSL offers as an outsource service to designers. One benefit afforded to those of us in the actuator industry with a very narrow but intense focus is not just understanding the advantages and limitations of solenoid technology, but the visibility of, and participation in, emerging developments in the science of electric locking. Knowing what’s achievable is invaluable in every project development phase.