- Cybersecurity researchers found a vulnerability in the Instagram app that would allow hackers to remotely take over someone’s smartphone.
- The vulnerability, which has been patched, enabled attackers to gain access to a target’s camera, microphones, and photos just by sending them a picture that carries malicious code.
- It stemmed from how Instagram uses third-party code to process images in users’ photo libraries.
- Users can patch the vulnerability by making sure their Instagram app is up to date.
- Visit Business Insider’s homepage for more stories.
Cybersecurity researchers uncovered an Instagram vulnerability that would have enabled hackers to take over someone’s smartphone and use it to spy on them by merely sending an image loaded with malicious code.
The vulnerability was uncovered by Check Point Security in April, the firm announced this week. It has since been patched by Facebook, the company said in an advisory, meaning anyone with the latest version of the Instagram app is immune to the attack.
But the vulnerability is notable because of how easily it can be carried out and the wide range of permissions it would grant a hacker. The attack begins when a hacker sends an image loaded with malicious code to a target via email or through a messaging app like WhatsApp.
If the target were to save the image to their phone and subsequently open Instagram, the hacker would gain full access to the user’s Instagram account, as well as whatever functionalities Instagram can access, including the phone’s microphone and camera.
“People need to take the time to curate each permission an application has on your device. This ‘application is asking for permission’ message may seem like a burden, and it’s easy to just click ‘Yes’ and forget about it,” Check Point head of cyber research Yaniv Balmas said in a statement to Business Insider. “But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks.”
A Facebook spokesperson said in a statement that the vulnerability has been patched and that the company isn’t aware of anyone abusing the exploit.
Powered by WPeMatico