A vulnerability in the decoder used to upload images in the user’s profile could allow hackers to take control of millions of Instagram accounts, giving them a chance to manipulate the data and spy on victims. The alert was given on Thursday (24), by the cybersecurity company Check Point Research.
According to the company that discovered the flaw, the critical vulnerability is called Remote Code Execution (RCE) and was found on the Mozjpeg JPEG decoder after researchers analyzed the security of the social network app for Android and iOS. If explored, it makes it possible to perform actions involving the whitelist.
To achieve the goal, the hacker needs only a malicious image. It is enough that he sends a photo to the victim, via WhatsApp or any other service, and the file is saved on the device. As soon as the person uses Instagram on this device, the malicious code is activated, giving full access to the cybercriminal.
The bug allows, for example, to access location data, contact list, camera and files stored on the cell phone. In addition, the attacker has the chance to block access to the victim’s Instagram profile, stealing his identity and being able to create fake accounts with her data.
How to protect yourself
As soon as the vulnerability was discovered by Check Point researchers, the company warned Facebook, the owner of Instagram, which in turn has already released a security patch to correct the flaw.
To avoid problems with your privacy, caused by this and other flaws, it is recommended to update the app whenever new patches are available, in addition to keeping the operating system up to date.
Another tip is to pay attention to permission requests from apps, especially when they occur in excess. If it is not really necessary for them to work, avoid granting authorization.