Instagram is one of the most popular social media platforms in the world, with over 100 million photos uploaded every day and nearly one billion active users. People and businesses share photos and messages about their lives and products with their fans around the world. So imagine what could happen if a hacker could completely take over Instagram accounts, and access all messages and photos from those accounts, post new photos, or delete or manipulate existing photos. What effect could this have on the reputation of a person or a company?
Previous this year, see Point researchers exposed a serious helplessness in the Instagram app, which supposedly allowed a hacker to conquest the Instagram account of a victim and turn their phone into a spy tool, simply by sending it a malicious image file. When the image use to be saved and opened in the Instagram app, the connected vulnerability would offer the hacker with full right to use to the Instagram messages and images of the victim, allowing them to post or delete images at will, as well as access phone contacts, camera and location data.
Here’s how it is discovered the vulnerability and worked with Facebook and Instagram to address it to protect users.
What permissions are granted to apps on your phone?
Somewhere you go, your mobile phones use to be regularly with us, allowing you to stay in touch with your families, loved ones, and your work. This is of course also the reason why mobiles are an attractive target for hackers. Not only can they steal data and credentials from your phones, but they can also use them to spy on us: track your location, listen to your conversations, and access your data and messages.
Fortunately, all modern mobile operating systems have several layers of protection against this type of malicious activity. These protections are generally based on a concept of “application isolation”: even if someone were able to hack a specific application with online Instagram password cracker, they would still be confined to that one application, with its strict permissions, and could not extend their attempt further hacking forward.
The key term here is strict permissions. For example, a mapping application should be able to access your location, but should not have access to your microphone; a dating app should be able to access your camera and nothing else etc.
But what happens when an app has extended permissions on your device? If the app is hacked, the hacker will have easy access to your GPS data, camera, microphone, contacts, etc.
Fortunately, the number of apps that have such extensive permissions on users’ devices is limited. Instagram is one example. Given its popularity and the breadth of permissions, there is of the review of the security of Instagram’s mobile app for Android and iOS operating systems.
In the attack scenario that is described in study, a hacker can simply send an image to their target victim via email, WhatsApp, or some other file exchange platform. The targeted user saves the image to their phone, and when they open the Instagram app, the vulnerability is exploited, allowing the hacker to access all of the phone’s resources that are pre-authorized by Instagram.