A technical report has been prepared for a vulnerability discovered a few months ago in the iOS and Android versions of Instagram. The report, by a cybersecurity company called Check Point, shows how vulnerabilities can actually be easily exploited.
In the spring, a critical vulnerability had been identified in the iOS and Android versions of Instagram. This vulnerability caused an attacker to gain access to the target user’s data, block the user’s access to Instagram, give the user full control over their account, and even give them complete control over the mobile device. Although this vulnerability has been closed, the new explanations technically explain how the vulnerability can be exploited.
According to the statements, using Instagram’s vulnerability was very simple. If an attacker creates a custom image and sends it to the user it is targeting, the doors to a wide-ranging access right were opened due to the vulnerability. Recording the relevant image to the target user’s phone also starts the process, and the hacker had access to all the data of the target user.
Instagram’s critical vulnerability was discovered by a cybersecurity company called Check Point. After the company reported this vulnerability to Facebook, necessary actions were also initiated and the vulnerability was closed. But Check point, which makes technical explanations about this vulnerability, allows you to understand how easily vulnerabilities can actually be exploited, how users are at risk.
What caused Instagram’s vulnerability, according to the technical report by Gal Elbaz of Check Point, was third-party code integration. A cybersecurity expert says an open source JPEG encoder called Mozjpeg, also used on Instagram, caused this vulnerability. Instagram is trying to upload an image through this encoder that it thinks is smaller in size, but is actually too large, which caused a crash. This type of glitch is also known as a “stack buffer overflow”.
Note: The Open Source JPEG encoder named Mozjpeg was jointly developed by Mozilla and Facebook. A notable feature of this encoder was that it did not lose quality when creating JPEG files (i.e. many photos) in smaller sizes. In this way, both Mozilla and Facebook’s databases will be relaxed and users will be offered a faster visual loading experience.
According to the report by Check Point, experts investigated Mozjpeg’s codes to see if the JPEG encoder would affect Instagram. Here is the critical vulnerability in question also appeared during these investigations. Elbaz also shares in the report that he created which code exploits the vulnerability while running;
Elbaz says that a hacker must specify a larger size of 2^32 bytetan to take advantage of this vulnerability. An attacker who created an image that met these conditions and sent this image to the target user reached the target via Instagram. According to Elbaz, a hacker can even execute their own code by exploiting this vulnerability.
Send the victim an image that provides the conditions. This image can be sent via SMS, WhatsApp or email apps.
After the image is saved to the phone, wait for the victim to log in to Instagram.
The app will crash when the victim tries to access Instagram. In this process, the vulnerability can also be exploited in different ways.
This technical report shows how vulnerabilities can easily make users victims. It is also possible to expand the processes described above. In other words, there is a possibility that the vulnerability in question will lead to much more. However, Check Point stopped working on this vulnerability after reporting the vulnerability to Facebook. Because the vulnerability was quickly closed and the risk disappeared.