Check Point researchers have discovered a vulnerability in Instagram’s image processing.
It would have allowed hackers to take over Instagram accounts with a single image and use a victim’s smartphone as an espionage tool to access GPS location, their contacts and the camera.
To exploit the vulnerability, the attacker would only need one malicious image. Check Point researchers summarize the attack in three steps:
- The attacker sends an image to the target, via email, WhatsApp, or other media exchange platform.
- The photo is saved on the user’s smartphone. This can be done automatically or manually, depending on the shipping method, smartphone type and configuration. For example, a photo sent via WhatsApp is automatically saved on the phone by default.
- The victim opens the Instagram app and thus activates the abuse, allowing the hacker to take over the device remotely.
Instagram becomes a spy tool
The vulnerability gives the attacker full control over the Instagram app, allowing the hacker to perform all kinds of actions without the user’s consent – and knowledge. For example, he can read the private messages on it Instagramaccount, delete or post photos at will, or modify account profile information.
The Instagram application also has extensive permissions that allow access to other functions on the user’s phone, so that an attacker can also use the same vulnerability to access contacts, location data, the cameras and files stored on the device, thus rendering the smartphone becomes a perfect espionage tool.
The ‘least’ harm is that a hacker could crash the user’s Instagram app. The user then no longer has access and must remove the app from his devices and install it again. This can lead to possible loss of his data.
What can you do about it?
- Update! Update! Update!
Make sure to update your smartphone’s mobile applications and operating system regularly. Every week there are dozens of critical security patches that are sent through these updates. Each of these patches can have a positive impact on your privacy.
- Monitor the rights.
Pay more attention to the permissions that applications request. It is very easy for app developers to just ask the users for more permissions than necessary.
- Think twice about approvals.Take a few seconds to think before approving something. Ask yourself: “Do I really want to give this application that much access? Do I really need that? ” And if the answer is ‘no’, then DO NOT approve.