Facebook has fixed a critical remote code execution vulnerability in Instagram that could lead to the hijack of smartphone cameras, microphones, and more.
The vulnerability, tracked as CVE-2020-1895, was discovered by Check Point, it is a heap overflow issue that resides in Instagram’s image processing and received a CVSS score of 7.8.
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 22.214.171.124.128,” reads Facebook’s advisory.
An attacker could trigger the vulnerability by sending a crafted malicious image to the victim via email, WhatsApp, SMS, or any other communications platform and then saved to a victim’s device.
Then just opening Instagram afterward will allow executing the malicious code on the device.
“In the attack scenario we describe below, an attacker simply sends an image to the victim via email, WhatsApp or other media exchange platforms. When the victim opens the Instagram app, the exploitation takes place.” reads the analysis published by CheckPoint.
The vulnerability ties on how Instagram uses third-party libraries for image processing, in particular, the open-source JPEG decoder Mozjpeg.
Researchers discovered that the function handling image sizes when parsing JPEG images was flawed and caused a memory overflow during the decompression process.
Check Point experts explained that the issue could be triggered using an image size larger than 2^32 bytes.
An attacker may have been able to “steal” Instagram’s execution flow and get the code execution within its context and permissions.
A malicious code could allow the hackers to access a device’s phone contacts, camera, GPS data, and files stored into the device. The flaw could also allow to intercept direct messages, delete or post photos without permission, and change the account settings.
“At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data,” Check Point concludes.
“Our blog post describes how image parsing code, as a third party library, ends up being the weakest point of Instagram’s large system. Fuzzing the exposed code turned up some new vulnerabilities which have since been fixed. It is likely that, given enough effort, one of these vulnerabilities can be exploited for RCE in a zero-click attack scenario. Unfortunately, it is also likely that other bugs remain or will be introduced in the future.”
(SecurityAffairs – hacking, Facebook)