Facebook has fixed a bug on Instagram which could have allowed an attacker to take over an Instagram account and turn the user’s phone into a spying tool by sending them a malicious image file.
After the image is saved and opened, it would provide the hacker complete access to a person’s Instagram messages and images, allowing them to post and delete images, access phone contacts, camera and location data, as said by the cyber security researchers of Check Point.
The attack can be triggered when the malicious image is sent through email or WhatsApp and saved on a victim’s device.
The researchers have called this critical vulnerability as remote code execution or RCE which allows an attacker to take over a computer or server by running arbitrary malicious software.
Check Point stated in a recent blog that the vulnerability can allow attackers to perform any action they want to do on Instagram. This would also allow the attacker to turn the phone into a spying tool and put the privacy of millions of users at risk.
At present, Instagram is one of the most popular social media network where around 100 million photos are uploaded everyday and there are 1 billion monthly active users.
Check Point researchers also said that the vulnerability found was in a way that Instagram used Mozjpeg which is an open source project used by Instagram as JPEG image decoder for images uploaded to the service.
The findings were disclosed to Facebook and Instagram team by Check Point.
Facebook explained the vulnerability as an “Integer Overflow leading to Heap Buffer Overflow” and then issued a patch to remediate the problem on the new versions of Instagram on all platforms.
The researchers said that the patch of this vulnerability has been there for 6 months prior to this publication, providing time to users to update Instagram and mitigating the risk of this vulnerability being exploited.
They encouraged Instagram users to make sure that they are using the latest version of Instagram and update if a new version is available.