A report by CheckPoint researchers disclosed details about this RCE vulnerability in the Instagram Android application that could have allowed cybercriminals to control over a targeted device just by sending them a crafted image. This vulnerability was discovered by Check Point cybersecurity researchers in April, The firm disclosed this vulnerability to Facebook and they were able to patch this quickly.
If the target saves a crafted image to their phone and tries to upload the photo on Instagram, the hackers would gain remote access to the targeted device giving them full access to their Instagram account as well as including smartphone features such as a microphone, camera, and more. However, Check Point reported that while fuzzing the app with malicious code frequently caused the Instagram app to crash.
CVE-2020-1895, This vulnerability described by Facebook as integer overflow which leads to a heap buffer overflow, existed within an open-source Mozjpeg third-party JPEG decoder used by Instagram to upload images to the application.
“At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data,” Check Point added.
The vulnerability was patched six months before and now the writeup of the RCE being public just to mitigate the risk of exploitation.
“We’ve fixed the issue and haven’t seen any evidence of abuse,” Facebook said. “We’re thankful for Check Point’s help in keeping Instagram safe.”