A critical vulnerability in Instagram’s Android and iOS apps could have allowed remote attackers to run malicious code, snoop on unsuspecting users, and hijack control of smartphone cameras and microphones.

The security hole, which has been patched by Instagram owner Facebook, could be exploited by a malicious hacker simply sending their intended victim a boobytrapped malicious image file via SMS, WhatsApp, email or any other messaging service.

When Instagram is subsequently opened, a heap overflow would occur in the app’s image-processing library allowing – according to a blog post by security researchers at Check Point – attackers to spy on private messages, post and delete photos, as well as access the phone’s contacts, camera and location data.

“In effect, the attacker gets full control over the app and can create actions on behalf of the user, including reading all of their personal messages in their Instagram account and deleting or posting photos at will. This turns the device into a tool for spying on targeted users without their knowledge, as well as enabling malicious manipulation of their Instagram profile. In either case, the attack could lead to a massive invasion of users’ privacy and could affect reputations – or lead to security risks that are even more serious.”

According to the researchers, the most basic exploitation of the flaw would cause the Instagram app to crash – preventing users from accessing their account until the app is deleted from their device and reinstalled.

Specifically, the vulnerability was in the way that the Instagram app used a third-party JPEG processing library called Mozjpeg. Sloppily, Instagram misused the open-source code when handling images opening a window of opportunity for remote code execution to take place.

Fortunately, the researchers who discovered the serious security hole believe in responsible disclosure, and worked (Read more...)