Facebook has patched a critical vulnerability in Instagram that could lead to remote code execution and the hijack of smartphone cameras, microphones, and more.
Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as “a critical vulnerability in Instagram’s image processing.”
Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook’s security advisory says the vulnerability is a heap overflow problem.
See also: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 188.8.131.52.128,” the advisory says.
In a blog post on Thursday, Check Point cybersecurity researchers said sending a single malicious image was enough to take over Instagram. An attack can be triggered once a crafted image is sent — via email, WhatsApp, SMS, or any other