• Daniyar Kylyzhov

Instagram found image processing vulnerability


Check Point specialists spoke about a serious vulnerability found earlier this year in the Instagram mobile application for iOS and Android. Attackers could use the CVE-2020-1895 vulnerability to gain almost full access to the victim's smartphone by launching remote execution of arbitrary code on the attacked system. All they needed to do this was to send the user a picture with malicious code and specially created dimensions. Next, the standard Instagram application image processing algorithm was used to successfully carry out a heap buffer overflow attack

The CVE-2020-1895 vulnerability was discovered by Check Point earlier this year. She was prone to release Instagram application until 128.0.0.26.128.


A Check Point fuzzing investigation revealed that Instagram developers misused a third-party tool MozJPEG (Mozilla's open-source JPEG decoder).


It turned out that in the Instagram app, the handler code for this tool had its limitations. It could cause an integer overflow if the application tries to process and open a larger image, considering it smaller - a malicious image with specially specified dimensions previously received and saved by the user to a smartphone.


It is noteworthy that the attacker had two options for further attack after launching the malicious code after exploiting the vulnerability:


  • receiving information from a smartphone, including viewing and copying contacts and messages, user location data, and access to camera control - all elements and services of the smartphone to which the Instagram application had access;


  • cause Instagram app to crash continuously on startup, after uninstalling and reinstalling the app after a while, the crash can be triggered again.


In February 2020, Facebook specialists released new versions of Instagram mobile applications with a patch against the CVE-2020-1895 vulnerability.

In mid-September 2020, Microsoft released a new automated tool for developers - Project OneFuzz. This fuzzing solution has already replaced the Microsoft Security Risk Detection Service. The source code for the Project OneFuzz tool is already available on GitHub under the MIT license, including documentation and examples.


#Instagram #Attack #Problem #MozJPEG #Fuzzing

2 views0 comments

FYBERUS

  • Facebook
  • Twitter
  • Instagram

Copyright © 2020 Fyberus WebSite. A Fyberus. All rights reserved. Reproduction in whole or in part without permission is prohibited.