A remote code execution (RCE) flaw found in Instagram that lets bad actors potentially take over a victim’s phone by sending a malicious image shines a spotlight on the vulnerabilities tied to third-party apps and image files.
Researchers from Check Point crashed Mozjpeg, open source software that Instagram uses as a decoder for images uploaded to the photo-sharing service, to exploit CVE-2020-1895, according to a blog post. Although the bug was discovered on an Android device, Check Point said iOS devices are also at risk.
Yaniv Balmas, Check Point’s head of cyber research, said Instagram made a mistake in how it integrated Mozjpeg into the Instagram app. Balmas said the image parsing code used as a third-party library wound up being the weakest part of the Instagram app, noting that researchers were able to crash it 447 times. Check Point has notified Instagram owner Facebook of the vulnerability and it has since been fixed.
“Every modern application uses third-party libraries – it would make no sense to develop otherwise,” Balmas said. “But that doesn’t mean you have to blindly trust it. Moving forward, developers need to treat third-party libraries like their own code.”
The Synopsys Cybersecurity Research Centre found that open source software makes up on average 70 percent of the code in audited commercial applications, and 99 percent of all applications have some aspect of open source code attached to them.
In the case of the Check Point discovery, development teams must treat images as unvalidated input and test for the effects of corruption, said Tim Mackey, principal security strategist at the Synopsys. He said development teams should treat any abnormal behavior during these tests with the same level of priority given to a SQL injection or other unvalidated input weakness in code.
“Open source has many benefits, but carries with it a shared use responsibility,” Mackey said. “If you are using an open source component, and it’s critical to the success of your app or business, then you need to manage it properly. One part of that responsibility is to test that your chosen components are securely used in your applications. If there turns out to be an issue, then it’s your responsibility to report it to the authors, but ideally if you’re able to provide a fix – do so... The security of all software is only as good as the weakest component.”
Chris Olson, founder and CEO of The Media Trust, said security pros should consider a CVE discovery at a big platform like Facebook/Instagram a red flag.
“The big platforms spend a lot of resources protecting their ecosystems, so if it could happen there, that’s significant,” Olson said. “What I worry about more is that most companies are focused on protecting their own infrastructures and not on the consumers who mostly use third, fourth and fifth parties to run the big platform applications. The vast majority of the cyber attacks are on the third, fourth and fifth-party apps. It’s the biggest ‘miss’ in cyber and too many companies don’t even know it’s an issue.”
Tim Erlin, vice president of product management and strategy at Tripwire, was more low-key, saying that “there’s nothing new about exploitations of third-party libraries.” Erlin said the unique vulnerability Check Point uncovered was cause for concern because Instagram has millions of users and organizations such as publishers, corporate marketing departments, ad-networks and radiology labs use thousands of images every day.
“My advice to developers is to run a vulnerability scan on all third-party apps they're using to process images, as well as all third-party apps on the website,” Erlin said. “They should also do the vulnerability scans on a regular basis. For companies that don’t want to slow things down and run the scans, find tools to automate the process.”