Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Instagram patches bug that allowed hackers to take over users' phones

The bug would have allowed a bad actor to take over a user's smartphone by sending a photograph carrying malicious code.

The vulnerability was discovered by Check Point Security back in April. Facebook has claimed that they patched the vulnerability and that no one had abused the exploit. Users who haven't updated Instagram are strongly encouraged to do so, to be safe.

It was especially noteworthy because it highlighted how easily a hacker could take over a user's personal device, such as an iPhone.

A hacker could simply send an image loaded with malicious code to a potential victim via email or through a messaging service like Facebook Messenger or WhatsApp.

If the photo were to be stored on the user's device — a feature that WhatsApp automatically does by default — and the user opened Instagram, a hacker would be given full control of the user's Instagram account. Additionally, they could control a user's camera and microphone remotely through the exploit.

The vulnerability serves as a reminder for users to routinely check what permissions apps have, especially any app that can control a device's camera or microphone.

"People need to take the time to curate each permission an application has on your device. This 'application is asking for permission' message may seem like a burden, and it's easy to just click 'Yes' and forget about it," Check Point head of cyber research Yaniv Balmas said in a statement to Business Insider. "But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks."

Instagram was recently reported to be seemingly activating the camera and microphone indicators during times when the user was generally browsing the app's feed, and not actively requiring the use of the camera or microphone. The company had claimed that it was a bug and that they were working to patch it.

Facebook, the parent company of Instagram, had recently been accused of spying on Instagram users through unauthorized use of iPhone cameras, according to a lawsuit recently filed. It isn't clear if this fix is related to the suit.



6 Comments

badmonk 11 Years · 1336 comments

Yes another reason why everyone should think about deprecating the use of Facebook, What’s App and Instagram from their lives.  From the article it sounds like the photo is first transmitted from outside of the IG app and needs to be stored on your device to work.

goodbyeranch 9 Years · 251 comments

Why why why is there not an alternative to instagram

sflocal 16 Years · 6139 comments

It was especially noteworthy because it highlighted how easily a hacker could take over a user's personal device, such as an iPhone


If the photo were to be stored on the user's device -- a feature that WhatsApp automatically does by default -- and the user opened Instagram, a hacker would be given full control of the user's Instagram account. Additionally, they could control a user's camera and microphone remotely through the exploit.

This is NOT taking over a user's iPhone.  This is a bug in Instagram that allows someone to take over a user's Instagram account.  Big difference.


It's frustrating when "news" turns out to be clickbait.  AI needs to be better than going this route.

JinTech 9 Years · 1061 comments

sflocal said:
It was especially noteworthy because it highlighted how easily a hacker could take over a user's personal device, such as an iPhone


If the photo were to be stored on the user's device -- a feature that WhatsApp automatically does by default -- and the user opened Instagram, a hacker would be given full control of the user's Instagram account. Additionally, they could control a user's camera and microphone remotely through the exploit.
It's frustrating when "news" turns out to be clickbait.  AI needs to be better than going this route.

But then AI won't get the click... but I do agree with you.

MplsP 8 Years · 4049 comments

So if this was discovered last April, why did it take Instagram/Facebook 5 months to patch it?