Israeli cybersecurity firm Check Point reported on Thursday that was able to locate a significant security breach on Instagram that allows a third party to assume control over the personal phone of the user. A massively popular social media application with roughly a billion monthly users, the possible damage a security breach – an #InstaHack – could cause is enormous.Check Point released the news after informing the company to allow it time to fix it, a press release on behalf of the company reported. How was the hack possible? A third party could have sent a victim an image file that, when opened in an e-mail or via WhatsApp, would assume control over the phone via the Instagram application. This would have given the hacker control on the victim's account. Many people use their smartphones to control their social media presence, so the hacker could also gain control over the location, recording, camera and contact list in the phone. This might seem far-fetched but, for the sake of argument, imagine that the social media account of the son or daughter of an important figure on the world stage is hacked in this manner. If the victim is included in official state functions, the hacker could record everything that takes place within ear-shot.Even if the hack is not motivated by political intrigue, consider the possibility of an outside party assuming control of the payment options on your phone and helping themselves to your financial resources. Instagram is somewhat unique because, unlike other applications on the average phone, it has extensive permissions. While a dating app might only have access to your camera and a map app only to your location, Instagram has access to everything. Which is why hacking into it would put more of your personal data at risk than hacks to other apps. What Check Point found is that via Remote Control Execution (RCE) it is indeed possible to turn Instagram into a path turning the phone into a spying tool. Why was the hack even possible? Because Instagram used an open source library called Mozjpeg to process some of its files. This is not unusual: Most developers use such libraries to handle the function of the app they are creating. In this case, Mozjpeg was used to open JPEG files. What could a hacker do in such a situation? Anything the owner of the account could do – from posting pictures to pretending to be the user in e-communication. The security breach was fixed between the time of its discovery and the time of this report. However, Check Point encourages app users to download the latest version of Instagram to ensure they are protected. The Israeli tech firm also offers a service called SandBlast Mobile (SBM) that can provide users with a full disclosure of all the risks their phones are exposed to.
Facebook, which owns Instagram, claimed that Check Point "greatly ovestates" the breach that was found and pointed out that the Israeli company was "unable to successfully exploit the bug.""We have fixed the issue," the social media giant said in response to the Israeli company's report, "and have no reason to believe anyone was impacted by this.