Third-party code bug left Instagram users at risk of account takeover

Security teams at Check Point and Facebook have highlighted the dangers of relying on third-party code in the development process after disclosing a critical remote code execution (RCE) vulnerability in the Instagram photo-sharing platform, which could have enabled malicious actors to take over their victim’s Instagram and turn their device into a spying tool.

Assigned CVE-2020-1895, the vulnerability is described by Facebook as an integer overflow leading to a heap buffer overflow, and existed within Mozjpeg, an open source, third-party JPEG decoder used in Instagram to upload images to the application. It was patched six months ago, but is only being disclosed now that enough users have hopefully updated their apps to mitigate its impact.

Had an Instagram user saved a malicious image sent via email, WhatsApp or SMS, and then opened the Instagram app, the exploitation would have been triggered, giving the attacker full access to the victim’s messages and images, allowing them to post or delete images to Instagram, and access other features of the phone, including location data, phone contacts and stored media. It could also have been used to crash the victim’s installation of Instagram, denying them access to it and forcing them to delete and re-install it.

Check Point’s Yaniv Balmas, head of cyber research, warned developers of the risks of using third-party code libraries such as Mozjpeg without thoroughly checking them for bugs. He pointed out that while it is common to save time in the development process by using third-party code to handle common tasks such as image and sound processing, such code can often contain bugs that introduce more serious vulnerabilities into the final product.

“Third-party code libraries can be a serious threat. We strongly urge developers of software applications to vet the third-party code libraries they use to build their application infrastructures and make sure their integration is done properly,” said Balmas.

“Third-party code is used in practically every single application out there, and it’s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?” he added.

Balmas said that end users could also protect themselves by taking the time to check the permissions an app such as Instagram has on their device. Although this might seem like a burden, it is also one of the strongest defence mechanisms available to the average app user.

“I would advise everyone to take a minute and think, do I really want to give this application access to my camera, my microphone, and so on?” he said.

Balmas also urged people to regularly update their mobile applications and mobile operating systems, pointing out that often critical security patches are being shipped in such updates all the time.

A Facebook spokesperson said: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”

Commenting on the disclosure, OneLogin technical services vice-president, Stuart Sharp, said: “This vulnerability shows just how vulnerable our online accounts are. By allowing remote access to an Instagram account, the attackers could use this for any  purpose they wish, including blackmail or the compromise of high-profile or corporate Instagram accounts. Instagram must work as quickly as possible to patch this vulnerability.”

He argued that the disclosure of such a vulnerability should prompt any service provider, such as Facebook, to “go back to the drawing board” and rethink their approach to security during the development process.

Javvad Malik, security awareness advocate at KnowBe4 described the vulnerability as both interesting and worrying, given how much sensitive information social media accounts can contain.

“For this particular attack to be successful, a picture needs to be sent to a target and saved to their phone. Therefore, one of the best ways to defend against this would be for people to be wary of incoming images, especially from unknown parties. It is rumoured that Jeff Bezos’s phone was also compromised due to receiving a malware-laced video via WhatsApp,” he said.

“Users can also disable the auto-saving of images that are received via social media such as Whatsapp. For influencers, or brand managers who use Instagram or other social media in a professional capacity, it’s worth considering using separate devices for work and personal social media uses. This would apply to not just the influencers and celebrities themselves, but also any staff that support them and have access to their accounts,” added Malik.

Check Point’s research team have published full technical details on CVE-2020-1895 online. They noted the Instagram bug was likely “the tip of the iceberg” when it came to Mozjpeg.

“The Mozilla-based project is still widely used in many other projects over the web, in particular Firefox, and it is also widely used as part of different popular open-source projects such as sharp and libvips project,” said Check Point’s researchers.