A white paper was prepared for a vulnerability discovered a few months ago in the iOS and Android versions of Instagram. The report prepared by the cyber security company called Check Point reveals how security vulnerabilities can be exploited easily.
In the spring, a critical vulnerability was detected in Instagram’s iOS and Android versions. This vulnerability would cause an attacker to access the target user’s data, block the user’s access to Instagram, gain full control over the user’s account, and even gain full control over the mobile device. Even though this vulnerability has been closed, new statements technically explain how the vulnerability can be exploited.
According to the statements made, it was very simple to use Instagram’s vulnerability. If an attacker created a custom image and sent this image to the target user, a wide-ranging access right would have been opened due to the vulnerability. The target user’s saving the relevant image on their phone also initiated the process and the hacker could access all the data of the target user.
Instagram’s critical vulnerability was discovered by the cybersecurity company Check Point. After the company reported this vulnerability to Facebook, the necessary actions were initiated and the gap was closed. However, Check Point, which makes technical explanations about this vulnerability, makes it possible to understand how easily the vulnerabilities can be exploited and what kind of risk users are at.
According to the technical report by Gal Elbaz from Check Point, it was third-party code integration that caused the Instagram vulnerability. The cybersecurity expert says that an open source JPEG encoder called Mozjpeg, which is also used on Instagram, caused this vulnerability. Instagram was trying to upload an image that it thought was smaller, but was actually too large through this coder, causing a crash. This type of glitch is also known as “heap buffer overflow.”
Note: The open source JPEG encoder named Mozjpeg was developed jointly by Mozilla and Facebook. The striking feature of this encoder was that it did not lose quality while creating JPEG extension files (ie many photos) in smaller sizes. In this way, both Mozilla and Facebook’s databases would be relaxed and users would be offered a faster visual loading experience.
According to the report prepared by Check Point, experts researched Mozjpeg’s codes to see if the JPEG encoder could affect Instagram. This critical vulnerability was revealed during these investigations. Elbaz also shares which code was exploited while running the vulnerability in the report he created;
Elbaz states that a hacker must specify a size greater than 2 ^ 32 bytes in order to exploit this vulnerability. Here, an attacker who creates an image that meets these conditions and sends this image to the target user, reached the target via Instagram. According to Elbaz, a hacker could even execute his own codes by taking advantage of this vulnerability.
It is possible to summarize the operation of this vulnerability as follows:
Send a qualifying image to the victim. This image can be sent via SMS, WhatsApp or e-mail applications.
After the image has been saved on the phone, wait for the victim to log into Instagram.
The app will crash when the victim tries to access Instagram. In this process, the vulnerability can be exploited in different ways.
This white paper shows how vulnerabilities can easily become victims of users. It is also possible to expand the processes described above. So the vulnerability in question is likely to lead to much more. However, Check Point stopped working on the vulnerability after reporting the vulnerability to Facebook. Because the security gap was quickly closed and the risk was eliminated.