When the picture is saved and opened in the Instagram app, the exploit gives the hacker full access to the victim’s Instagram messages and pictures, allowing them to post or delete pictures as they see fit, as well as access to the contacts, camera and the victim̵
An attack can be triggered as soon as a malicious image is emailed or sent
The researchers revealed the critical vulnerability known as Remote Code Execution (RCE), which allows an attacker to take over a computer or server by executing malicious software (malware).
“This vulnerability could allow an attacker to take any action they want in the Instagram app. Since the Instagram app has very extensive permissions, an attacker could immediately turn the target phone into a perfect spying tool, protecting the privacy of millions of users Users at Serious Risk, “the cyber security firm announced in a blog post on Friday.
Instagram is one of the most popular social media platforms worldwide. Over 100 million photos are uploaded every day and almost 1 billion active users every month.
“The vulnerability we found was in the way Instagram used Mozjpeg, an open source project used by Instagram as an image decoder in JPEG format for images uploaded to the service,” explained the researchers.
The company shared the results with Facebook and the Instagram team.
Facebook described the vulnerability as “integer overflow leading to heap buffer overflow” and released a patch to address the problem in the newer versions of the Instagram application on all platforms.
“The patch for this vulnerability was already available 6 months prior to this release, giving the majority of users time to update their Instagram applications, reducing the risk of exploiting this vulnerability,” the researchers said.
“We strongly recommend that all Instagram users make sure they are using the latest Instagram app version and update when a new version becomes available.”