A coding vulnerability was identified by cybersecurity corporation ‘Check Point’, on Instagram which could have allowed attackers to get illegal access to anyone’s location data, phone contacts, and camera.
This vulnerability was identified by Facebook’s security committee as “Integer Overflow directing to Heap Buffer Overflow” and was prompted by a coding error in Mozjpeg, an open-source program used by Instagram as their JPEG format image decoder.
It was seen that when Mozjpeg attempted to decompress an image of specific dimensions and beyond an allocated size, it activated the bug which crashed the app and gave attackers access over Instagram app. Anyone could have manipulated the bug by delivering a specially crafted image to the target’s phone via Whatsapp, E-mail or any other online methods of media exchange. By exploiting the comprehensive app authorizations granted to apps like Instagram, attackers would have gained access to other elements of the phone such as microphone, camera, and storage.
Check Point said, “Facebook responded quickly to their findings and released a patch fixing the issue on all platforms. The patch was released in February, which means it must have been downloaded by the majority of Instagram users by now.”
Researchers at Check Point advised that the Mozjpeg program on Instagram is not a singular use case. The Mozilla-based project is widely used by various apps. Check Point suggested developers that they can reduce the attack surface by constraining the receiver to a small number of supported image formats.