Details of a bug on Instagram Android and iOS app reveal that hackers could spy on you by sending an image. Not just this, the bug could also lead to Instagram repeatedly crashing till uninstalled and re-installed.

Gal Elbaz from Check Point, a cybersecurity company told Bleeping Computer about the issue. The Instagram bug was a vulnerability caused by third-party code integration. This bug can let hackers send a specifically tweaked image to your phone, designed to crush Instagram and spy on users.

How Did This Instagram Bug Work?

It started with the hacker sending a corrupted image on your email or WhatsApp. If you saved that image, the bug became active. Then, when you open Instagram, the bug started doing its work. Basically, it was capable of only crashing the app multiple times, but in the hands of a seasoned hacker, it may expose your entire phone.

Image of the function causing the Instagram bug
Image of the function causing the Instagram bug. Image credits: Bleeping Computers

An error was found in the function handling image sizes, leading to memory allocation problems or integer overflow. This bug was capable of corrupting your phone’s memory as well.

Instagram usually has access to the critical functions of the phone. It can access storage, microphone, camera, as well as location. So if a bug is carefully planted, the hacker may be able to remotely control your phone, without you even knowing about it.

Facebook Fixed It

The bug was reported to Facebook by Check Point. It was identified as a technicality called a heap-buffer overflow. This happens when Instagram tries to upload a large image, believing it to be a smaller size. In his report, Gal Elbaz told how the integration of a third-party code may lead to remote execution risks, like app crashing and spying.

In this case, an open-source image encoder, Mozjpeg had been identified as the weak point. The job of an image encoder here is to compress images while retaining their quality. Facebook had earlier fixed the problem and issued a security advisory about it. Check Point never discovered the limit to which the bug could be used to abuse user privacy because Facebook patched the issue.

Manik Berry
Manik is fascinated by smartphones and ecosystems. He also likes a strong coffee after a long bike ride.