Advertisement

Instagram says it has fixed a bug that would allow hackers take over targets' smartphones and spy on them just by sending a photo with malicious code

Instagram Reels
Instagram Reels
  • Cybersecurity researchers found a vulnerability in the Instagram app that would allow hackers to remotely take over someone's smartphone.

  • The vulnerability, which has been patched, enabled attackers to gain access to a target's camera, microphones, and photos just by sending them a picture that carries malicious code.

  • It stemmed from how Instagram uses third-party code to process images in users' photo libraries.

  • Users can patch the vulnerability by making sure their Instagram app is up to date.

  • Visit Business Insider's homepage for more stories.

Cybersecurity researchers uncovered an Instagram vulnerability that would have enabled hackers to take over someone's smartphone and use it to spy on them by merely sending an image loaded with malicious code.

The vulnerability was uncovered by Check Point Security in April, the firm announced this week. It has since been patched by Facebook, the company said in an advisory, meaning anyone with the latest version of the Instagram app is immune to the attack.

But the vulnerability is notable because of how easily it can be carried out and the wide range of permissions it would grant a hacker. The attack begins when a hacker sends an image loaded with malicious code to a target via email or through a messaging app like WhatsApp.

If the target were to save the image to their phone and subsequently open Instagram and try to upload the photo, the hacker would gain full access to the user's Instagram account, as well as whatever functionalities Instagram can access, including the phone's microphone and camera. However, in several of the tests Check Point carried out, attempting to upload the photo that included the malicious code frequently caused the Instagram app to crash.

"People need to take the time to curate each permission an application has on your device. This 'application is asking for permission' message may seem like a burden, and it's easy to just click 'Yes' and forget about it," Check Point head of cyber research Yaniv Balmas said in a statement to Business Insider. "But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks."

A Facebook spokesperson said in a statement that the vulnerability has been patched and that the company isn't aware of anyone abusing the exploit.

"Check Point's report overstates a bug, which we fixed quickly and have no reason to believe impacted anyone. Through their own investigation Check Point was unable to successfully exploit this bug," the spokesperson said in a statemnet to Business Insider.

Read the original article on Business Insider