If you’re reading this story, you are probably somewhat cyber-conscious. Hopefully, if I want to send you a file attachment in a text message ̵
If only that was the case. The fact is that a malicious image has the same capacity to damage your device and steal your data as a malicious attachment. The only difference is that it is a more complex attack that makes it less common. We saw the latest example of such a threat this week. Facebook has confirmed that it has fixed an Instagram vulnerability revealed by Check Point researchers, which is a framed image that can potentially hijack an entire account and possibly even take over Instagram’s permissions – via a smartphone.
Facebook denied Check Point’s claim that the malicious image that crashed Instagram could be used to take over the smartphone itself and access the camera and microphone. Facebook told me that the worst case scenario would be an account hijack, which in itself seems bad enough. And while Check Point claimed that saving a picture on a phone would trigger the attack, Facebook said that a user would have to upload the picture to Instagram. Again, the fact that an image was created as an attack tool was accepted. And that’s what this is all about.
Check Point’s POC attack consisted of sending an image to a victim through a popular platform – iMessage, Android Messages or WhatsApp – and the content of the image tricked the victim into saving the photo on their device. It’s simple – most of us do it all the time, even if we just want to share the picture on another platform instead of forwarding the message we received.
Check Point’s Ekram Ahmed told me this should serve as a warning. “Think twice before saving photos to your device,” he said, “as it can be a Trojan horse that hackers can use to get into your phone. We demonstrated this using Instagram, but the vulnerability can likely be found in other applications. “This is almost certainly the case – the problem was with the provision of an open source image parsing feature that is included in the Instagram app. And this third party software library is widely used in countless other apps.
Sonatype, which specializes in helping developers use such open source software libraries safely, told me that such components “make up 90% of all modern applications, and not all components are created equal … as Check Point disclosed Responsible for the problem and Facebook has released a patch. Thousands of other companies may be using a vulnerable version of the [that] Component. Now the race is on. “
If you get a malicious image in any of your messaging or social media apps, it is almost certainly okay to view it in the apps. The problem occurs when you save this to the album in your internal phone’s memory or on an external hard drive. We saw this last year when WhatsApp and Telegram were exposed to an Android vulnerability that saved images to an external hard drive. However, earlier this year Google’s Project Zero team warned that Messenger’s image processing, even on iOS, could be compromised if handled an unusual file type.
However, issues with mainstream apps can be fixed. Sticking to upscaled messaging and social media apps will fix these image manipulation vulnerabilities as soon as they are exposed. Simply put, these issues affect the apps, not the pictures. They trust that the app will securely process the content displayed. As soon as you move an image from outside this sandbox to your own device, so to speak, the risk changes. However, what the apps don’t do is clean pictures sent through their apps to remove threats in case you save those pictures on your own device. Social media apps remove metadata, e.g. B. the location where the photo was taken and compress the size of the image. However, they are not looking for threats that are built into the structure of the image itself. SMS messaging apps don’t even compress or remove metadata by default.
The ease with which a vulnerability can spread was highlighted in May when an image shared on social media blocked certain Android devices when set as the home screen wallpaper. The problem lay in the way the image handled its colors and interacted with the corresponding code on the Android device. Again, there is no way to check for such issues through the messaging or social media apps that are used to virally share such threats. There was no malicious intent with this particular image – but it does show you how powerful a framed image can be. “These types of attacks are usually carried out by nation-state actors or something similar,” said Yaniv Balmas, director of cyber research at Check Point.
Designed cyber threats aren’t the only risks posed by the myriad of images we now receive and then share. If we want to put ourselves or others at risk by the content being sent to or from our phones, it is likely that it is the pictures and videos that we take and share. Hence, the latest move from WhatsApp, which is currently in development, to have users make media attachments disappear after viewing them is very welcome. This can be done in media apps like Snapchat and Instagram, with delivery on a mainstream messenger becoming the norm.
So what’s the advice to stay safe? It’s remarkably simple. If you know the person and the camera, i.e. you can tell that they took the photos you sent with their own phone, then you can save whatever they send. You can do this via wireless sharing like Apple’s AirDrop or via iMessage or Android Messages for full resolution versions with metadata intact. You can also use WhatsApp or other “over-the-top” botgers. However, these will likely compress the size of the photos and remove the location data from the files.
If you don’t know the sender that well, or if the picture might have been forwarded from another location, or obtained from the internet or social media, don’t save it on your device. It may look like a simple photo, but ultimately it’s a data file that you cannot vouch for. If you receive pictures via social media message or on your feed that aren’t photos taken by someone you know, leave them where they are.
For the exact same reason, you are not allowed to set the permissions on any of your social media or messaging apps to automatically save pictures and videos on your phone. ESET cyber guru Jake Moore warns: “Simply sending a file that is automatically saved sounds dangerous, but it is the norm for so many people. Images can be saved afterwards, which is much safer. Then you can choose when you know the images are safe from known senders. “
And that’s the key takeaway here –safe senders. But you also need to add safe content to. The most powerful cyber weapons are those that hide within sight. Because of this, serious threat actors focus on the mainstream apps that they know can be found on almost all target devices. This is why targeted spear phishing is so effective in social engineering. And therefore, you need to protect yourself from an image that will lead a victim to believe they can see the content and thereby dismiss concerns that a threat may exist.