A vulnerability in the decoder used to upload images in the user profile allows hackers to take control of millions of Instagram accounts, allowing them to manipulate the data and spy on victims. The warning was issued on Thursday (24) by cybersecurity firm Check Point Research.
According to the company that discovered the flaw, the critical vulnerability is called Remote Code Execution (RCE) and was found on the Mozjpeg JPEG decoder after researchers analyzed the security of the social network app for Android and iOS. When examined, it allows to perform actions related to the whitelist.
To achieve the goal, the hacker only needs a malicious image. It is enough for him to send a photo to the victim, via WhatsApp or another service, and the file will be saved on the device. Once the person uses Instagram on this device, the malicious code is triggered, which gives full access to the cyber criminal.
For example, the bug allows access to location data, contact list, camera and files stored on the mobile phone. In addition, the attacker has the opportunity to block access to the victim’s Instagram profile, steal his identity and create fake accounts with her data.
How to protect yourself
As soon as the vulnerability was discovered by Check Point researchers, the company alerted Facebook, the owner of Instagram, which in turn has already released a security patch to correct the flaw.
To avoid privacy issues caused by these and other shortcomings, it is recommended that you update the app when new patches are available, in addition to keeping the operating system up to date.
Another tip is to pay attention to app permission requests, especially if they are too many. If they don’t really need to work, don’t give them permission.