Major Instagram bug lets hackers ‘snoop on you through your phone’ by sending a single image file – update your app NOW

HACKERS could break into your phone and spy on you through its camera just by sending you an image on Instagram.

US cyber security buffs say the terrifying tactic is possible due to a major flaw in the way that Instagram handles photos.

2

In a report published on Thursday, experts at Check Point research detailed exactly how hackers could exploit this vulnerability to snoop on people.

The flaw gives an attacker "the ability to take over a victim’s Instagram account and turn their phone into a spying tool", experts said.

Check Point added that it flagged the bug to Facebook – which owns Instagram – and the US company quickly issued a patch to fix it.

However, users who have not updated their app to the latest version may still be exposed.

2

The team at the California cyber security firm identified the vulnerability by scanning through a piece of software used by Instagram and other apps.

The free-to-use tool, Mozjpeg, helps process image files and is used by Instagram to upload photos to the application.

However, a dangerous flaw in Mozjpeg's code allows hackers to wreak havoc on people's phones using a single malicious image file.

To carry out an attack, a cyber crook would need to send a victim a boobytrapped image via Instagram, WhatsApp or other messaging service.

The picture must then be saved to the user's phone. On apps like WhatsApp, all images received by a user are automatically stored in their camera roll.

Once saved on the device, a victim would then simply need to open the Instagram app to give a hacker unfettered access to their mobile.

"The vulnerability would have given the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will," researchers said.

It would have also "given access to the phone’s contacts, camera and location data for spying purposes," they added.

Instagram denies that the bug would have allowed hackers full, remote access to a phone, and suggested they only would have had access to the individual's Instagram account.

It's not clear whether any hackers used the vulnerability to access people's phones.

A Facebook spokesperson said: "Check Point's report overstates a bug, which we fixed quickly and have no reason to believe impacted anyone.

"Through their own investigation Check Point was unable to successfully exploit this bug."

Instagram – the key facts

Here's what you need to know...

• Instagram is a social network for sharing photos and videos
• It was created back in October 2010 as an iPhone-exclusive app
• A separate version for Android devices was released 18 months later
• The app rose to popularity thanks to its filters system, which lets you quickly edit your photos with cool effects
• When it first launched, users could only post square 1:1 ratio images, but that rule was changed in 2015
• In 2012, Facebook bought Instagram for $1billion in cash and stock
• In 2018, some analysts believe the app is worth closer to $100billion
• In October 2015, Instagram confirmed that more than 40billion photos had been uploaded to the app
• And in 2018, Instagram revealed that more than a billion people were using the app every month

Part of what made the flaw so potentially dangerous was the wide range of permissions requested by apps like Instagram, such as access to your phone and camera.

They mean hackers only need access to your Instagram account to watch you and listen in on your chats unhindered.

Researchers said the bug is lesson to pay attention to the permissions apps badger you for.

Check Point's Yaniv Balmas said: "People need to take the time to check the permissions an application has on your device.

"This 'application is asking for permission' message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it.

"But in practice this is one of the strongest lines of defence everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, 'do I really want to give this application access to my camera my microphone, and so on?'"

How to update Instagram

The Check Point flaw was flagged to Facebook six months ago, so it's unlikely you're still exposed to hackers.

However, if you haven't updated Instagram in a while – or are just feeling a bit paranoid – follow the steps below.

On iOS, you can do this by heading to the App Store and tapping on your account icon on the top right of your screen.

Scroll down to your apps and, if an update is available, Instagram will show at the top. Tap "update".

On Android, you can update Instagram by heading to the Google Play Store > My apps & games > Update.

Most read in Phones & Gadgets

CASE CLOSED

iPhone owner told ‘turn it off immediately’ after Apple fans spot ‘fire risk’

GOLDEN APPLE

Apple set to launch 'Ring rival' that can magically UNLOCK doors with NO key

YEAR WE GO!

WhatsApp's long list of secret tricks 'you missed in 2024' revealed

TUNE IN

TV channels returning for Christmas 2024 & exact numbers you need to find them

In other news, cyber crooks recently attempted to steal Instagram users' logins by faking a "copyright violation".

Scammers are using Google Alerts to send out links to malware.

READ MORE SUN STORIES

BILL BOOST

All the energy firms giving away FREE heated blankets and gadgets this Xmas

FURY'S FUTURE

Fury vows 'it's not over' despite Usyk loss as he looks ahead to Joshua match

And, Windows 10 users are being told to update their PC to escape an 'Eternal Darkness' flaw.

What do you think of the Instagram scam? Let us know in the comments!

We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]