Skip to content ↓ | Skip to navigation ↓

A critical vulnerability in Instagram’s Android and iOS apps could have allowed remote attackers to run malicious code, snoop on unsuspecting users, and hijack control of smartphone cameras and microphones.

The security hole, which has been patched by Instagram owner Facebook, could be exploited by a malicious hacker simply sending their intended victim a boobytrapped malicious image file via SMS, WhatsApp, email or any other messaging service.

When Instagram is subsequently opened, a heap overflow would occur in the app’s image-processing library allowing – according to a blog post by security researchers at Check Point – attackers to spy on private messages, post and delete photos, as well as access the phone’s contacts, camera and location data.

“In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will. This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.”

According to the researchers, the most basic exploitation of the flaw would cause the Instagram app to crash – preventing users from accessing their account until the app is deleted from their device and reinstalled.

Specifically, the vulnerability was in the way that the Instagram app used a third-party JPEG processing library called Mozjpeg. Sloppily, Instagram misused the open-source code when handling images opening a window of opportunity for remote code execution to take place.

Fortunately, the researchers who discovered the serious security hole believe in responsible disclosure, and worked with Facebook and Instagram to ensure that the vulnerability was patched properly.

It’s notable that details of the vulnerability have only been made public now, some six months after a patched version of Instagram was first rolled out. That underlines just how seriously the security hole was regarded by Instagram and the researchers who found it.

Because of the significant risk that a sophisticated attacker – perhaps state-sponsored – might attempt to exploit the flaw to spy upon high-risk targets, public disclosure has only taken place now, when it is believed that the majority of users will have updated their Instagram apps.

Of course, if you haven’t updated your Instagram app in the last six months or so then you really should take action now. Either remove the Instagram app from your smartphone entirely, or update it to the latest version from the official Google Play or iOS app stores.

Facebook confirmed that the security vulnerability had been fixed and that it hadn’t seen any evidence of malicious abuse of the flaw.

More information about the vulnerability can be found in a technical blog post published by the researchers.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.