A seemingly benign and common practice among Instagram users has revealed a glaring vulnerability in the Facebook-owned (FB) app, according to a new report from Check Point Software Technologies (CHKP).
The cybersecurity firm says that it exposed a critical flaw in Instagram’s image processing: saving a single image to a mobile phone would have allowed a cyber attacker to access a user’s contacts, location data, camera and files stored on the device. In January, Check Point revealed multiple vulnerabilities within the TikTok app that hackers could have used to obtain confidential personal information and manipulate user data. The flaw was subsequently patched.
Check Point’s head of cyber research, Yaniv Balmas, described the Instagram vulnerability in the following way: An attacker sends an image to a target victim’s email, text message, or other communication platform. The picture is then saved to the user’s mobile device. This is can be done automatically or manually depending on sending method, the mobile phone type, and configuration. Photos sent by WhatsApp, another Facebook company, are saved to the phone automatically by default. The user then opens the Instagram app, triggering the exploitation, giving the attacker full access for remote control execution, or RCE.
Check Point says it first disclosed the bug to Facebook on Feb. 1, and that on Feb. 10, Instagram released a patch to fix the bug. According to the firm, the social media giant issued a patch to fix the vulnerability on newer versions of the Instagram app.
“We waited until now to publish in order to ensure enough people updated their applications,” Balmas said.
‘Check Point’s report overstates a bug’
According to Check Point’s report, Facebook issued a statement saying, “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”
But in a statement to Yahoo Finance, Facebook claims: "Check Point's report overstates a bug, which we fixed quickly and have no reason to believe impacted anyone. Through their own investigation Check Point was unable to successfully exploit this bug.”
According to Facebook, simply receiving and saving an image would not have been enough to lead to RCE. The user would have to upload the image to Instagram directly. Facebook was recently accused of using mobile phone cameras to watch Instagram users, leading to a privacy lawsuit in San Francisco. The company has denied the accusations and blamed a bug for the erroneous notifications.
Now that this specific bug has been fixed, there are a couple of key takeaways, according to Check Point, which has established itself as a white-hat hacker over the last few years.
Users should regularly update apps and operating systems on their mobile devices because critical security patches are issued with these updates.
Also, it’s important to pay better attention to the kinds of permissions and approvals users are allowing app developers, rather than just clicking “allow” without reading the fine print.
In addition to its research arm, Check Point generates revenue by selling security software, licenses and subscriptions, in addition to providing updates and maintenance. Check Point has previously published data on security vulnerabilities at tech companies like Zoom (ZM) and Microsoft (MSFT).
Melody Hahm is Yahoo Finance’s West Coast correspondent, covering entrepreneurship, technology and culture. Follow her on Twitter @melodyhahm.