What does the required checkpoint on Instagram mean

Instagram: Security researchers take over the app and user account

The security researchers at Check Point have something new to report once again. So they managed to hack the Instagram app. With a trick, not only could the Instagram app and the user account be taken over, but even the entire smartphone could be spied on. Both the Android and iOS apps were affected by the problem.

Images contaminated with malware were used for this. The latter, however, were not uploaded to Instagram, but rather sent to the victims via email, WhatsApp or MMS. Other services are also conceivable for this. If the user saves the respective photo, which even happens as standard with WhatsApp, and then opens the Instagram app, the otherwise dormant malware is activated. It is then possible for the attacker to control the user account.

Since the Instagram app also secures all kinds of authorizations, attackers can spy on a smartphone further and, for example, call up the location, read out the contacts and search through stored files. The specific security gap goes back to Mozjpeg, an open source decoder for jpeg images that Instagram uses to load images into the application. Apparently, Instagram had not adequately checked the security here.

Incidentally, the vulnerability is no longer active. Check Point discovered the problem about half a year ago, quietly reported it to Facebook and they closed the gap shortly afterwards. However, out of caution one waited a while longer. Facebook added the vulnerability as CVE-2020-1895.

If you are interested in all technical backgrounds, then take a look at this post on the subject. Check Point breaks down the gap again in a more complex way.