A stark warning for Instagram users today, with a new security report claiming a user’s app could have been hacked by nothing more than a single photo texted to their iPhone or Android smartphone. And while the specific issue has now been patched by Facebook, with updates issued for Instagram’s hundreds of millions of Android and iOS users, the dangers of downloading images and other files messaged to our phones remains.
According to the research team at Check Point, “the critical vulnerability… would have allowed an attacker to perform any action of choice inside Instagram – read DMs, delete or post content, manipulate account details, as well as the ability to turn a victim’s phone into a spying tool to access GPS location, phone contacts and camera.”
“The attacker would only need a single, malicious image to execute the attack,” Check Point says, and that by saving the image, the cyber weapon would be primed. As soon as Instagram was next opened, the attack could take place. Given the seriousness of the disclosure, the cyber firm says it has waited six months before publishing its report. “We wanted to make sure the patch arrives to most phones out there and users are protected,” Check Point’s Yaniv Balmas told me, “otherwise the consequences of such publication can be bad—to say the least.”
Facebook has confirmed that the vulnerability was disclosed and patched, but told me that “Check Point’s report overstates a bug, which we fixed quickly and have no reason to believe impacted anyone.” According to Check Point, they pulled their proof of concept before actually hacking any accounts. Facebook says this means that “through their own investigation, Check Point was unable to successfully exploit this bug.”
Check Point completely disputes this. “By introducing a specially crafted picture to the app,” Balmas explained, “one can ‘steal’ the application execution flow and basically make it do whatever they want with the same context and permissions as the app itself. Since Instagram has many permissions (camera, GPS, contacts, …), that means the attacker can have access to these and can practically spy one anyone using Instagram.”
Check Point says that it pulled further research on its POC once it had crashed Instagram and, in its view, opened it up to attack. “We believe this proves the point,” Balmas told me. “At the end of the day, we are not developing attack tools.”
In response to Facebook’s claim that the issue has been overstated, Check Point’s Ekram Ahmed told me that “we firmly stand behind our publication, which we believe clearly demonstrates how the vulnerability is carried out. Every detail was fully and transparently disclosed to Facebook. We first informed Facebook in February 2020—then again in April and September; all instances were prior to publication. Now is the only time that Facebook has claimed the vulnerability is not an RCE [remote code execution].”
The issue exposed by Check Point lies with the implementation of Mozjpeg, an open source, third-party code library buried within Instagram, one that parses JPEG images within the app. “The issue was a buffer overflow,” Balmas told me, “caused by sending a picture with a large size which fools the application into believing it’s much smaller. This causes an overwrite and lets us do our magic.”
Check Point says that just opening Instagram after the malicious image was saved onto a phone would trigger the exploit. “Okay, so when you have a photo on your phone, the second you open Instagram the app will automatically try to load these images for you. You can see them if you push the post button on the app (at the bottom of the screen). So it’s just required for a user to open Instagram in order to be exploited, nothing more.”
Facebook takes a different view, disputing that this is a so-called “zero-click attack,” claiming that a user would need to upload the image to Instagram to crash the app and open it to an attack. Despite saying the issue was “overstated,” Facebook also pointed out that the worst case would be a single user’s account being hijacked, not a wider attack on the platform, seeming to contradict the denial of the issue. Unsurprisingly, Check Point agrees with this latter point.
Check Point has also dismissed Facebook’s rebuttal as to the nature of the vulnerability. According to Ahmed, “the malicious picture in the scenario we described does not have to be manually uploaded to Instagram. This is due to the ‘snippet’ functionality embedded within Instagram in which photos from your mobile media library are automatically parsed and presented once the Instagram application starts.”
Ahmed told me that Check Point has produced a full technical report into the exploit, “we have shared this report with Facebook along with the fact the we believe this vulnerability is exploitable, and have not received any rejections for this claims until today. We respect Facebook, but we stand 100% behind the findings and the claims in our publication.”
Claims that Instagram could have been hacked by nothing more than a photo are a major issue for Facebook, given the billion-plus user base and the data security and privacy issues that have plagued Facebook over the last two years. There have been reports of well-known Instagram accounts being allegedly hacked—it’s a sensitive issue and often obfuscates the publication of private images.
Earlier this year I liaised between Facebook and a well-known Iranian television celebrity who claimed their Instagram account had been hacked by state actors. At the time Facebook secured and recovered the hijacked account on more than one occasion as it appeared to be repeatedly hacked. The tech giant would not be drawn into sharing details of their investigation into how the compromise had taken place. Given the political sensitivities, we did not publish details of the attack or the identity of the celebrity.
“It’s a great place to find vulnerabilities,” Balmas said of image vulnerabilities, warning that “I don’t see this changing anytime soon.” The reliance on third-party libraries and the vast array of image types that an app needs to handle make this a rich hunting ground for attackers. That said, this is a sophisticated attack to carry out. “It’s not trivial to find and make this bug usable,” according to Balmas, “but once you do the attack can be done in a click of a button. These types of attacks are usually carried out by nation-state actors or equivalent.”
Facebook’s advice on keeping your Instagram account safe can be found here. In the event you think your account may have been hacked, they also have some more specific advice. In simple terms, users should “pick a strong password,” they told me, with the usual rules round never reusing passwords across services. Facebook also advised that users should “revoke access to third-party apps as they can expose login information.”