Instagram Bug Let Hackers Spy On You By Sending Tweaked Images

Yolanda Curtis
September 26, 2020

It affects Instagram versions prior to 128.0.0.26.128 on Android. Making matters worse, the bug could have allowed attackers to also get access to your entire contacts list, along with your phone camera and location data.

This, the researchers noted, meant that they could take over an account completely, gaining access to its photos, messages, as well as on-device data such as contacts, camera, storage, and location. As per a report by DarkReading, hackers found a new vulnerability in remote code execution in Instagram that could be exploited to gain access to your phone.

The app will crash when the victim tries to access Instagram.


Facebook reassured users that no matter whether the camera was on or off while using the Instagram app, they only accessed it when the user wants it.

Researchers at cyber-security firm, Check Point, have detailed a major vulnerability in Instagram that could have allowed hackers to take over accounts with just one malicious image file. The target user's saving the relevant image on their phone also initiated the process and the hacker could access all the data of the target user. This vulnerability can allow an attacker to perform any action they wish in the Instagram app (even if it is not actually a part of the application logic or features). "Enterprise development and security teams have to quickly determine if and where they might have used Mozjpeg, while adversaries race to discover where the now vulnerable components live in applications".

The Check Point Research report states that image parsing code, as a third-party library, is the weakest point of Instagram's large system.


Our modus operandi for this research was to examine the 3rd party libraries used by Instagram, and the vulnerability we found was in the way that Instagram used Mozjpeg- an open source project used by Instagram as its JPEG format image decoder for images uploaded to the service. Researchers said that by sending a mere image file, that carries a malicious payload and crafted to trigger the bug, can hijack target's phone.

The vulnerability gives the attacker full control over the Instagram app, enabling the hacker to take actions without the user's consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details. Facebook's advisory was very responsive and helpful, they have described this vulnerability as an "Integer Overflow leading to Heap Buffer Overflow" and issued a patch to remediate the issue on the newer versions of the Instagram application on all platforms. To ensure enough Instagram users updated their applications, therefore significantly mitigating the security risk, Check Point researchers waited 6 months to publish these findings.

Check Point's SandBlast Mobile (SBM) provides full visibility into mobile risks, with advanced threat prevention capabilities.


To exploit the vulnerability, the attacker would only need a single, malicious image.

Other reports by iNewsToday

FOLLOW OUR NEWSPAPER