Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/24/2020
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Critical Instagram Flaw Could Let Attackers Spy on Victims

A now-patched remote code execution vulnerability could be exploited with a specially sized image file, researchers report.

A critical Instagram flaw could have enabled attackers to perform remote code execution and access a victim's camera, microphone, and other components, Check Point researchers found.

CVE-2020-1895 has a CVSS score of 7.8 and exists in the Instagram app on both Android and iOS. It was discovered in early February and reported to Facebook, Instagram's owner, which issued a patch. Now that a fix has been available for six months, researchers who discovered this vulnerability are publicly disclosing the details of how an attack would unfold.

Related Content:

12 Bare-Minimum Benchmarks for AppSec Initiatives

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Making the Case for Medical Device Cybersecurity

"All of social media has become, in this day and age, the most precious and wanted target," says Check Point security researcher Gal Elbaz. It was for this reason the research team chose to audit the security of Instagram on multiple operating systems, he says in a technical writeup.

Like many software companies, Instagram integrates third-party open source projects in its software. This flaw exists in the way it uses Mozjpeg, a public project built by Mozilla that serves as Instagram's JPEG format decoder for images uploaded to the photo-sharing app.

An attacker who wanted to exploit the vulnerability would only need to send an image to the victim's device via WhatsApp, text, email, or any other messaging service, Elbaz says. The victim saves the image onto their phone; next time that person opens Instagram, the exploitation takes place and grants an attacker permission for any resource on the phone that Instagram can access.

This could include the device's camera, GPS/location services, contacts, and storage, among other things. Within the Instagram app, the attacker could conduct actions on behalf of the user, including reading messages, posting and deleting photos, or deleting the app altogether. 

The vulnerable function handles image dimensions when parsing JPEG image files, Elbaz says. To exploit the bug, an image would have to be sent with malformed dimensions. Facebook's advisory for the flaw describes it as an "integer overflow to buffer overflow" and says a "large heap overflow" could occur when trying to upload an image with specially crafted dimensions. It affects versions of Instagram before 128.0.0.26.128.

The exploit would be ineffective on phones with permissions for Instagram disabled, says Yaniv Balmas, Check Point's head of cyber research. However, doing so would reduce the app's functionality. "If Instagram doesn't have any permissions, the exploit will be useless, but frankly I think Instagram will be useless without those permissions as well," he explains.

The vulnerability was not easy to find and exploit — Elbaz spent months working on it, Balmas says — but it's fairly easy for an attacker to take advantage now that it's been discovered.

What Businesses Should Learn
Researchers chose to explore Instagram's security because of its massive user base, which makes it an appealing attacker target. However, Balmas points to a pattern of criminals seeking to buy vulnerabilities that will give them broader device access.

"We see a trend of attackers trying to go for applications with excessive permissions, and that's a thing with Instagram," he says. "[It has] all these permissions — camera, microphone, GPS, contacts, all of these things — if you just manage to exploit this application, you don't really need to move forward in exploiting the entire phone." With access to the permissions of an app like Instagram, an attacker has free rein to explore many of the target device's features.

This particular vulnerability exists in the way Instagram uses Mozjpeg, and not in the open source project itself, Balmas emphasizes. That said, both researchers agree it's important for organizations to carefully vet the third-party code they use in their applications. 

"You have to look at the open source library you use as part of your code, because it is part of your code," Elbaz says, noting that he treats open source code as he would the code of products he writes, with penetration testing and thorough examination.

Although it's natural to not understand "every bit and byte" that goes into open source code, Balmas says it's important to remember that just because someone else wrote the code doesn't mean it's free of errors. Open source code is just as likely to have vulnerabilities.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3995
PUBLISHED: 2020-10-20
In VMware ESXi (6.7 before ESXi670-201908101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x before 15.1.0), Fusion (11.x before 11.1.0), the VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to tr...
CVE-2020-7363
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.
CVE-2020-7364
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of UCWeb's UC Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects UCWeb's UC Browser version 13.0.8 and prior versions.
CVE-2020-7369
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version ...
CVE-2020-7370
PUBLISHED: 2020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of Danyil Vasilenko's Bolt Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Bolt Browser version 1.4 and prior versions.