A weakness in Instagram made it possible for an attacker to take over an Instagram account and turn the victim’s phone into a spy tool by merely sending some media sharing site a malicious image.
A thorough description of the weakness, how it was detected, and how it could be used has now been released by researchers at Check Point, who discovered the weakness.
Since then, the flaw was fixed.
Because of its scale and success, Check Point Analysis agreed to investigate Instagram. Of more than 100 million images posted every day, it has more than 1 billion users. The researchers decided to investigate some of the open source initiatives used inside the Instagram application by third parties — and concentrated on Mozjpeg. To optimise compression over efficiency for web files, this is an open source Jpeg encoder developed by Mozilla.
The researchers used a fuzzer on images submitted to the decompression method of Mozjpeg, and wanted to focus on one particular crash triggered by an out-of-bounds writing. They noticed that they could use an integer overload that would lead to an overload of a heap buffer. Effective exploitation of such bugs requires careful placement of heap artefacts to allow memory corruption to be adjacent to them.
They were able to use a feature under their power that carries out a raw malloc with a dimension. This allowed them to place the overflowed buffer on the heap at a location of their choosing. They might “(1) create an image with malformed measurements that (2) causes the bug, which then (3) results in a copy of our managed payload that (4) diverts the execution to an address we control” by bringing it together, the researchers reported.
Exploiting this flaw would grant the attacker total access of the Instagram software, allowing the attacker to take actions without the permission of the user — including reading all direct messages on the Instagram account, removing or uploading images at will, or accessing information about the account profile. What it takes is for the attacker to send the manufactured malicious image to the victim. If this is recorded on the victim’s phone (WhatsApp does this by default automatically), the manipulation can be enabled by simply opening the Instagram app and giving the intruder complete access for remote takeover.
Towards the end of 2019, Check Point told Facebook of its performance. Facebook recognised the flaw and allocated the reference number of CVE-2020-1895 to it. NVD gives it a grade of seriousness of 7.8. In February 2020, Facebook fixed the flaw, and Check Point waited another six months to post its flaw account to allow Instagram users ample time to upgrade their applications. Facebook states that the problem is solved, and no evidence of similar violence has been seen.
Nevertheless, though acknowledging that fuzzing the exposed code brought up new bugs that have since been patched, the Check Point researchers are “expected to exist or may be added in the future. As such, it is completely important to constantly fuzz-test this and related media format parsing code, both in operating system libraries and third-party libraries.”
Yaniv Balmas, Head of Cyber Analysis at Check Point, said: “There are two key takeaways to this report. First, 3rd party code libraries may be a significant danger. We strongly encourage software application developers to analyse the 3rd party code libraries they use to create their application infrastructures to ensure that their integration is performed correctly. In almost every single appll code, 3rd party code is used.”
“Second, he added, “People need to take the time to review the permissions that every programme has on your computer. This message can sound like a hassle, because it’s easy to just press ‘Yes’ because forget about it. But in fact, this is one of the best lines of protection against mobile cyber-attacks that anyone has, and I will urge anyone to take a minute and th
Instagram apps can ensure that version 128.0.0.26.128 or newer is used.
