Through Instagram, you can take control of any smartphone using a picture

An Instagram flaw has allowed an attacker to execute arbitrary code using a specially prepared image on someone else’s mobile device. In the creation of Mozilla, the topic lurked.

Image Correctly Picked

A significant flaw in Instagram has been eliminated by Facebook, which makes it easier to seize ownership of user accounts. To do this, it was enough to send a specially prepared image with malicious code embedded in it to a potential victim.

Check Point Software exposed the flaw. This error, according to experts, is a common buffer overflow that causes arbitrary code to run on the target system in certain circumstances.

This is extremely risky in the Instagram sense, as this program typically has access to a wide variety of peripheral components and facilities, including a camera and microphone, geolocation software, a contact list and, of course, mobile storage.

More Details:

A third-party Mozilla JPEG Encoder (Mozilla JPEG Encoder Project) embedded into Instagram to speed up the encoding and decompression of online uploaded JPEG images is the root of the issue. There was a bug in the encoder which led to an integer overflow and buffer overflow.

An attacker needs to send a malicious picture via WhatsApp, SMS , email, or instant messenger to exploit the problem to get the user to save this picture to launch Instagram. The bug can also be used to cause the crash of an application.

Anastasia Melnikova, an information security expert at SEC Consult Services, says, “Currently, a massive share of code in commercial applications comes from open source development.” —

Their usage is always more than economically acceptable (why write it yourself, if anything is ready), but the content will differ. Third-party code must also be carefully audited before and after integration with the main production in order to prevent issues , especially because errors can also arise at the stage of deployment of third-party components.

Back in winter, Check Point experts told Facebook about the current problem, and the CVE-2020-1895 index was assigned to it by Instagram developers. Patches for 32-bit and 64-bit versions of the Android and iOS app were released in February 2020, but the disclosure was delayed until February 2020.