Facebook has reported that it patched a serious bug in one of its subsidiaries – Instagram. The bug is associated with how Instagram handles the image uploads processing by using a third-party decoder and can be used to spy on users! This can be triggered by just sending a maliciously crafted image file to the target, and obtain all the permissions he had given to the Instagram.
Instagram Bug Lets Hackers Intercept Your Messages!
As documented by researchers at Check Point, the bug in Instagram has assigned a tracking code as CVE-2020-1895, and a severity score of 7.8 out of 10. Researchers say the bug is concerned with how the Instagram handles image uploads and processing, using a Mozjpeg, a Mozilla developed open-source JPEG decoder.
Since Instagram improperly utilizes the tool to process images, an attacker can craft an image file with his malicious payload and deliver it to the target. Triggering the bug is even easier since the target doesn’t need to do much other than down saving it to the device! Upon doing so and opening the Instagram app, it will let the hacker start his operations.
The bug will be configured to give the hacker access to whatever permissions granted by the user to Instagram on the device. This may include contacts list, location and local storage. With these set of permissions, the attacker is privileged to add/remove posts on behalf of their target. Also, he can intercept the Direct Messages, say, researchers.
Facebook too has reported about this problem as the problem is about “large heap overflow [that] could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.”
While researchers have spotted this bug about six months earlier, they’re publicising now after reporting to Facebook privately. They have waited all this long to let users update the app to patch this bug. There are no instances of exploitations reported, says Facebook.
Other Trending News:- News
