Instagram Accounts Could Be Hacked with a Single Image
A dangerous bug in the Android and iOS versions of the Instagram app allowed potential attackers to take over a victim’s account and spy on their mobile device. To exploit the vulnerability, an attacker only needed to send a specially crafted image via messenger or email.
How the Vulnerability Worked
The issue was related to how Instagram processed images. As soon as Instagram accessed a certain image and offered the option to post it, an attack vector was created.
Technically, the vulnerability—identified as CVE-2020-1895—was a classic buffer overflow. The bug occurred when Instagram tried to post a large image but mistakenly believed it was small.
Patch and Disclosure
Facebook’s development team has already fixed the flaw, and an official security notice was published. The details of the bug were described by Check Point researcher Gal Elbaz.
According to Elbaz, implementing third-party code in Instagram led to serious risks, including the possibility of remote code execution.
Attack Method
In this case, the root cause was a hardcoded constant value that Instagram’s developers added when integrating with Mozjpeg. Elbaz outlined the approximate attack algorithm for exploiting this vulnerability:
- The attacker sends the victim a malicious image (via WhatsApp, SMS, email, or any other messaging service).
- If the user saves the image and later opens Instagram, the vulnerability is triggered, allowing the attacker to gain full access to the victim’s device.
The bug could also be used to repeatedly crash the app.