According to security researchers, Instagram was hit by a security issue that could allow attackers to take full control of your account. Researchers discovered what they describe as a “critical vulnerability,” which was capable of letting attackers into their victim’s Instagram account. Once exploited, the vulnerability could allow attackers to use devices of their victim as a spying tool.
‘Instagram hack’ causes panic among users
Unauthorized and unrestricted access to victims’ Instagram account could allow hackers to post or delete photos and videos, access private DM chats, spy on victims using their camera and location data, and more. The hack was possible by means of a malicious image file. Describing the attack, researchers had this to say:
“When the image is saved and opened in the Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera, and location data.”
Check Point researchers discovered a remote code execution (RCE) vulnerability that put the privacy of millions of Instagram users at risk. It not only allowed hackers to take full control of the app but also go beyond its capabilities. Hackers could turn devices of their victims into a spying tool.
Researchers also believe apps like Instagram with extensive permissions to access GPS data, camera, microphone, contacts, and more are prone to such attacks.
According to researchers, one of the third-party libraries used by the Instagram app was responsible for this hack. A vulnerability in how Instagram uses a third-party image decoder library Mozjpeg allowed attackers to take control of their victims’ Instagram account.
All attackers needed to do was send a malicious image to their target victim via email, WhatsApp, or another media exchange platform. Once the target user saved the image on their handset and opened the Instagram app, a script would run, allowing the attacker full access to any resource associated with Instagram.
Such an exploit can also be used to crash a user’s Instagram app and deny them access to the app until they uninstall it from their device and re-install it. Instagram sees more than 100 million photos being uploaded every day. The Facebook-owned service also has nearly 1 billion monthly active users.