Technical details about a high-severity vulnerability in Facebook's Instagram app for Android and iOS show how a maliciouss user could exploit it to take full control over the victim's account.
For this to work technique, ο κακόβουλος χρήστης θα πρέπει να στείλει στο στόχο μια ειδικά κατασκευασμένη εικόνα μέσω μιας κοινής πλατφόρμας ανταλλαγής messages or via email.
The issue was how to analyze images from Instagram, as long as the application has access to it to display it as an option in a post. Then the vulnerability would start by allowing dangerous actions.
Technically, vulnerability is a buffer overflow (CVE-2020-1895) that happens when Instagram tries to upload a bigger image believing it is smaller.
Facebook fixed the problem in the spring, after the revelation of the company Check Point and issued security tips to deal with it.
In a detailed technique report today, Check Point's Gal Elbaz points out how custom third-party code implementation on Instagram could lead to serious, remote code execution risks.
The weak point, in this case, was a fixed hardcoded value added by Instagram developers when integrating Mozjpeg, an open source JPEG encoder that Mozilla configured with libjpeg-turbo for better JPEG compression.
Check Point started checking Mozjpeg for possible defects that could be exploited in a meaningful way. The purpose was to find out if Instagram could be influenced by the library.
They found that the function that handles sizes image when parsing JPEGs, it had a bug that caused memory allocation problems during the decompression process.
This could be used to damage memory, which can have dangerous consequences. At best, this type of error could throw Instagram, but if exploitable, it can lead to critical risks.
According to Check Point, Instagram has extensive permissions on the device, which include access to contacts, storage, device location, camera and microphone.
So in addition to checking the device owner's Instagram, a hacker could use the device as a spy tool without suspicion.