Today’s security alert for Instagram users is a stark warning. A new report claims that a single image sent to an Android or iPhone could have hacked a user’s app. Facebook has issued updates for millions of Instagram users on both Android and iOS. However, this specific issue has been fixed.
The Checkpoint research team found that “the critical vulnerability… would allow an attacker to perform any actions inside Instagram – read DMs and delete or post content. They could also manipulate account details. A victim’s smartphone could be turned into a spying device to access GPS location, contacts, and camera.
Check Point states that an attacker would need only one malicious image to carry out the attack. By saving the image, the cyber weapon will be ready. The attack could occur as soon as Instagram is opened again. The cyber company claims it has waited six month to publish its report due to the seriousness of this disclosure. Yaniv Balmas, Check Point’s director of Cyber Security, told me that the patch had to be delivered to all phones and users. “Alternatives could have disastrous consequences to such publication,” he said.
Facebook confirmed the vulnerability had been disclosed and fixed, but said that Check Point’s report “overstates a bug which was quickly fixed and have no reason for believing impacted anyone.” Check Point claims that they pulled their proof-of-concept before hacking any accounts. Facebook claims that this means that Check Point could not exploit the bug through their own investigation.
Check Point strongly disagrees. Balmas stated that one can “steal” the application execution flow by adding a specially-crafted photo to it. This allows the attacker to do anything they want in the same context as the app. The permissions Instagram gives to the attacker include camera, GPS, contacts and …),. This allows them to spy on anyone who uses Instagram.
Check Point claims that it did further research on its POC after it crashed Instagram. This, according to Check Point, made it vulnerable to attack. Balmas said that “we believe this proves it.” “At the end, we aren’t developing attack tools.”
Ekram Ahmed, Check Point’s Director of Security, told me that Facebook had claimed that the issue was exaggerated. He said that they stand by the publication that we believe clearly shows how the vulnerability was carried out. Facebook was informed in detail and openly about every detail. Facebook was first notified in February 2020, then again in April and September. All instances were before publication. Facebook claims that the vulnerability is not an “RCE” [remote code execution] now that it is.
Check Point discovered the issue in the implementation Mozjpeg. This third-party code library is open source and buried within Instagram. It parses JPEG images. Balmas explained to me that the buffer overflow was caused by sending an image with a large file size, which tricks the app into thinking it is smaller. This causes an overwrite, and allows us to do our magic.”
Check Point claims that opening Instagram after the malicious photo has been saved to a phone will trigger the exploit. Okay, now that you have a photo saved to your phone, Instagram will try to load the images automatically the moment you open it. These images can be viewed by pressing the post button (at the bottom) in the app. To be exploited, a user must only open Instagram.
Facebook disagrees with this view. They claim that it is not a “zero-click” attack. Instead, a user would have to upload the image to Instagram in order to crash the app and make it vulnerable to attack. Facebook acknowledged that the issue was overstated but also stated that the worst scenario would involve a single account being hijacked and not an attack on the entire platform. This seems to contradict the fact that the issue has been denied. This is unsurprising, as Check Point also agrees.
Check Point also rejected Facebook’s argument about the nature of the vulnerability. Ahmed said that the malicious image in the described scenario does not need to be uploaded manually to Instagram. This is because of the “snippet” functionality embedded in Instagram, which automatically parses and presents photos from your mobile media libraries once the Instagram app starts.
Ahmed informed me that Check Point had produced a technical report on the exploit. He said that they shared the report with Facebook, along with the fact that the vulnerability was exploitable. I have not received rejections for these claims as of yet. We respect Facebook but stand 100% behind our publication and the findings.
Claims that Instagram was hacked with a single photo are a serious problem for Facebook due to the company’s billion-plus users and data security and privacy problems that have plagued Facebook in the past two years. There have been reports that well-known Instagram accounts were allegedly hacked. This is a sensitive matter and often prevents the publication private images.
In the spring of this year, I worked with Facebook to help a prominent Iranian television personality who claimed that their Instagram account was being hacked. Facebook was able to recover the stolen account multiple times, as it appeared that the account had been repeatedly hacked. The tech giant refused to share details about their investigation into the incident. We did not release details about the attack or the identity the celebrity because of political sensibilities.
Balmas stated that image vulnerabilities are a “great place to find vulnerabilities” and warned that attackers will not soon be able to exploit the reliance on third party libraries and the wide variety of image types an app must handle. This is an extremely difficult attack to execute. Balmas says that it is not easy to locate and make the bug usable. However, once you have done this, the attack can be performed in just a few clicks. These attacks are typically carried out by national-state actors or their equivalent.
Here is Facebook’s advice for keeping your Instagram account secure. provides more detailed advice in the event that your account has been compromised. They said that users should choose a strong password and follow the rules of not reusing passwords across different services. Facebook advised users to “revoke access third-party apps because they can expose login data.”