CheckPoint posted a blog on Thursday that found a critical vulnerability that could've been used to perform remote code execution on a victim’s phone.
According to the blog, "Many software developers, regardless of their size, utilize open-source projects in their software. We found a vulnerability in the way that Instagram utilizes Mozjpeg, the open source project used as their JPEG format decoder.
In the attack scenario we [found], an attacker simply sends an image to the victim via email, WhatsApp or other media exchange platforms. When the victim opens the Instagram app, the exploitation takes place."
ZDNet reports: "Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as "a critical vulnerability in Instagram's image processing."
Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook's security advisory says the vulnerability is a heap overflow problem."
The discovery blog exposed some serious gaps in Instagram's app security and caused cybersecurity experts to voice their concerns.
Jayant Shukla, CTO and Co-Founder of K2 Cyber Security had this to say about the discovery:
"This latest discovered vulnerability in Instagram has many important lessons for enterprise security. First, the flaw is a Remote Code Execution (RCE) vulnerability, one of the most dangerous vulnerabilities because it gives the cyber criminal the ability to run arbitrary code on the exploited system. As such, it should be high on the list of vulnerabilities that are tested for in applications developed by enterprises.
Second, the flaw is based in open source code, which since the pandemic began, has been used even more widely than ever by enterprises to get applications to production more quickly. Open source code is as likely to have vulnerabilities as any other code, so enterprises need to treat open source code the same as any in house developed code, with thorough testing to ensure no vulnerabilities exist.
Third, and finally, the vulnerability is a good reminder to keep software and operating systems up to date and patched, as this vulnerability was patched after it was reported, but before the CVE was released to the public. Keeping your software up to date keeps systems and devices safe from cyber criminals using easy exploits with known CVEs."