A remote code execution (RCE) flaw found in Instagram that lets bad actors potentially take over a victim’s phone by sending a malicious image shines a spotlight on the vulnerabilities tied to third-party apps and image files.

Researchers from Check Point crashed Mozjpeg, open source software that Instagram uses as a decoder for images uploaded to the photo-sharing service, to exploit CVE-2020-1895, according to a blog post. Although the bug was discovered on an Android device, Check Point said iOS devices are also at risk.

Yaniv Balmas, Check Point’s head of cyber research, said Instagram made a mistake in how it integrated Mozjpeg into the Instagram app. Balmas said the image parsing code used as a third-party library wound up being the weakest part of the Instagram app, noting that researchers were able to crash it 447 times. Check Point has notified Instagram owner Facebook of the vulnerability and it has since been fixed.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.