After auditing the security of Instagram’s apps for Android and iOS, security researchers from Check Point have discovered a critical vulnerability that could be used to perform remote code execution on a victim’s smartphone.
The security firm began its investigation into the popular social media app with the aim of examining the 3rd party projects it uses. Many software developers of all sizes utilize open source projects in their software to save time and money. During its security audit of Instagram’s apps, Check Point found a vulnerability in the way that the service utilizes the open source project Mozjpeg as its JPEG format decoder for uploading images.
The vulnerability was discovered by fuzzing the open source project. For those unaware, fuzzing involves deliberately placing or injecting garbled data into a specific application or program. If the software fails to properly handle the unexpected data, developers can then identity potential security weaknesses and address them before users are put at risk.
To exploit the vulnerability in Instagram’s mobile apps, an attacker would only need to send a potential victim a single, malicious image via email or social media. If this picture is then saved to a user’s device, it would trigger the exploitation of the vulnerability once a victim opens the app which would then give an attacker full access to their device for remote takeover.
Remote code execution vulnerability
The vulnerability discovered by Check Point’s researchers gives an attacker full control over a user’s Instagram app which would allow them to read direct messages, delete or post photos or change a user’s account profile details. However, since Instagram has extensive permissions on a user’s device, the vulnerability could be used to access their contents, location data, camera and any files stored on their device.
Upon their discovery, the firm’s researchers responsibly disclosed their findings to Facebook and the social media giant then described the vulnerability, tracked as CVE-2020-1895, as an Integer Overflow leading to Heap Buffer Overflow. Facebook then issued a patch to address the vulnerability while Check Point waited six months to publish a blog post on its discovery.
Head of cyber research at Check Point, Yaniv Balmas provided further insight on the potential dangers of using 3rd party code, saying:
“This research has two main takeaways. First, 3rd party code libraries can be a serious threat. We strongly urge developers of software applications to vet the 3rd party code libraries they use to build their application infrastructures and make sure their integration is done properly. 3rd party code is used in practically every single application out there, and it’s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?”