fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Instagram Bug Allowed Crashing The App Via Image Sent To Device

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

Instagram Bug Allowed Crashing The App Via Image Sent To Device

Technical details about a high-severity vulnerability in Facebook’s Instagram app for Android and iOS show how an attacker could exploit it to deny user access to the app, take full control of their account, or use their mobile device to spy on them.

To trigger the bug, an attacker had only to send the target a specially crafted image via a common messaging platform or over email.

The issue was in the way Instagram parsed images, so as long as the app could access it to show it as options for a post, the vulnerability would set off allowing dangerous actions.

Also Read: The Importance of DPIA And Its 3 Types Of Processing

Custom third-party code integration

Technically, the vulnerability is a heap buffer overflow (CVE-2020-1895) occurring when Instagram tried to upload a larger image believing it to be smaller.

Facebook fixed the problem in spring, following responsible disclosure from cybersecurity company Check Point, and issued a vague security advisory for it.

In a detailed technical report today, Gal Elbaz from Check Point highlights how custom implementation of third-party code in Instagram could have led to serious, remote code execution risks.

The weak point, in this case, was a hardcoded constant value that Instagram developers added when integrating Mozjpeg, an open-source JPEG encoder that Mozilla forked from ​libjpeg-turbo better compression of JPEG images.

Check Point started checking Mozjpeg for potential flaws that could be exploited in a meaningful way. The purpose was to learn if Instagram could be impacted through the library so the researchers focused on the app integrated Mozjpeg.

They found that the function handling image sizes when parsing JPEG images had an error that caused memory allocation problems (integer overflow) during the decompression process.

This could be used to to corrupt memory, which may come with dangerous implications. At best, this type of bug could crash Instagram but, if exploitable, it may lead to critical risks.

As Elbaz explains, triggering the vulnerability requires specifying a size larger than 2^32 bytes. In simpler terms, Check Point told BleepingComputer:

“Technically speaking, the issue itself was a buffer overflow and it is caused by sending a picture with a large size, while fooling the application into believing it’s much smaller. This causes an overwrite and let us do our magic” – Check Point

With an image crafted this way, an attacker may have been able to “steal” Instagram’s execution flow and make it run code within its context and permissions.

As Check Point told us, Instagram has extensive permissions on the device, which include access to contacts, storage, device location, camera, and microphone.

Apart from controlling the device owner’s Instagram profile, an attacker could also use the device as an effective spying tool without raising any suspicion.

Also Read: Data Storage Security Standards: What Storage Professionals Need To Know

A possible scenario from an attacker with skills to exploit the glitch could be as follows:

  1. Send a malicious image to the victim by email, WhatsApp, SMS, or any other messaging service
  2. If the user saves image and opens the Instagram app, bug exploitation begins, giving the attacker full access to the target’s phone for remote takeover
  3. Exploitation could also be used to crash the victim’s Instagram app continuously unless removed and reinstalled.

While this chain of events is possible, Check Point never got to discover all the possibilities stemming from exploiting this vulnerability, although they had more avenues to explore. Facebook patching the bug put an end to these efforts.

When informing Check Point about fixing the issue, a Facebook representative said that they did not see “any evidence of abuse.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us