Facebook Inc. has patched a vulnerability in its photo-sharing app Instagram that could have allowed hackers to take over user accounts through a malicious image.

The vulnerability, discovered and publicized today by researchers at Check Point Software Technologies Ltd., involved a remote code execution hack. The vulnerability would allow attackers to perform any action they wish through sharing what the researchers describe as a “bad image.”

In this case, a bad image is one sent to an Instagram user via email or a messaging service that included malicious code. It would give the hacker access to the Instagram app, including any resource in the phone that’s allowed by Instagram.

The exploit also potentially could go further, since Instagram typically is given access to a range of phone permissions, including contacts, device storage, location services and the device camera.

The vulnerability was not directly on Instagram itself but through third-part open-source software Instagram uses — specifically Mozjpeg, a project used by Instagram as its JPEF format image decoder for images uploaded to the service.

The patch for the vulnerability was issued in February, with Check Point going public with the details only now because of responsible vulnerability disclosure guidelines.

“Open-source components make up 90% of any modern application and not all of the components are created equal,” Derek Weeks, vice president and DevOps advocate at DevOps automation firm Sonatype Inc., told SiliconANGLE. “Depending on the development language, as many as 10% to 40% have known security vulnerabilities in them. The Mozjpeg open-source component used in Instagram, Firefox and other popular applications is now one of those known vulnerable components.”

One problem, he added, is that there may be thousands of other companies using a vulnerable version of the Mozjpeg component. “Now the race is on,” he said. “Enterprise development and security teams have to quickly determine if and where they might have used Mozjpeg, while adversaries race to discover where the now vulnerable components live in applications. Enterprise teams armed with a software bill of materials for each application have a head start in this race.”

Looking at the broader picture of what the vulnerability may entail, Josh Bohls, founder and chief executive officer of secure content capture firm Inkscreen LLC, noted that the Instagram vulnerability highlights the underestimated problem of photos and videos on mobile devices.

“We recently had the shocking story of a video shared on Whatsapp leading to the hacking of Jeff Bezos phone and now we learn that a JPG photo saved to your mobile device could lead to a full takeover of your Instagram account,” he said. “It is clear that individuals, companies and government organizations need to take greater caution with multimedia content on mobile devices.”

Photo: PeakPX