The bug would have allowed a bad actor to take over a user's smartphone by sending a photograph carrying malicious code.
The vulnerability was discovered by Check Point Security back in April. Facebook has claimed that they patched the vulnerability and that no one had abused the exploit. Users who haven't updated Instagram are strongly encouraged to do so, to be safe.
It was especially noteworthy because it highlighted how easily a hacker could take over a user's personal device, such as an iPhone.
A hacker could simply send an image loaded with malicious code to a potential victim via email or through a messaging service like Facebook Messenger or WhatsApp.
If the photo were to be stored on the user's device — a feature that WhatsApp automatically does by default — and the user opened Instagram, a hacker would be given full control of the user's Instagram account. Additionally, they could control a user's camera and microphone remotely through the exploit.
The vulnerability serves as a reminder for users to routinely check what permissions apps have, especially any app that can control a device's camera or microphone.
"People need to take the time to curate each permission an application has on your device. This 'application is asking for permission' message may seem like a burden, and it's easy to just click 'Yes' and forget about it," Check Point head of cyber research Yaniv Balmas said in a statement to Business Insider. "But in practice this is one of the strongest lines of defense everyone has against mobile cyber-attacks."
Instagram was recently reported to be seemingly activating the camera and microphone indicators during times when the user was generally browsing the app's feed, and not actively requiring the use of the camera or microphone. The company had claimed that it was a bug and that they were working to patch it.
Facebook, the parent company of Instagram, had recently been accused of spying on Instagram users through unauthorized use of iPhone cameras, according to a lawsuit recently filed. It isn't clear if this fix is related to the suit.