The bug scored 7.8 out of 10 on the CVSS vulnerability rating scale and, according to Facebook developers, affected versions prior to 220.127.116.11.128. Fortunately, the problem was fixed back in February 2020, as it was revealed more than half a year ago, and the developers had enough time to create and distribute patches.
All that was required for the attack was to send a malicious image to the victim, and in any way (by e-mail, through a messenger, and so on). The user saves this image on their phone, and when Instagram is launched after that, the exploit is triggered, giving the hacker full access to the victim's Instagram messages and images, allowing them to post or delete the images, as well as giving access to phone contacts, camera, location data and local files.
“An attack can lead to invasion of users' privacy, can affect their reputation, or lead to more serious security problems. At the most basic level, the exploit could be used to disable the Instagram application, which will not work until the user removes it from their device and reinstalls it, which may be associated with certain inconveniences and possible data loss, "the experts write. …
The problem was how Instagram works with third party libraries used for image processing. In particular, Check Point experts were interested in the solution MozJPEG, an open source JPEG decoder developed by Mozilla that was used by Instagram for image processing (to improve compression and performance).
As it turned out, MozJPEG was used incorrectly on Instagram, and the researchers managed to provoke an integer overflow when the vulnerable read_jpg_copy_loop function tried to process a malicious image with specially specified dimensions.
The researchers note that fuzzing revealed several problems at once, one of which, if desired, could be used as RCE and be triggered without user intervention at all.
Also, analysts of the company write that the problem of too broad rights, which are required for the operation of some applications, is more relevant today than ever. For example, a mapping app might have access to a user's location, but it shouldn't have access to a microphone and a camera, and a dating app should have access to a camera but nothing else.
“What happened if the app had multiple permissions on your device? If such an application is compromised, the hacker will have easy access to GPS data, camera, microphone, contacts and more, ”the company warns.