Given you’re reading this story, the chances are that you’re somewhat cyber aware. If I was to send you a file attachment in a text message—let’s say a Word or PDF document, you’re hopefully programmed to ask a whole set of questions before opening or saving that attachment to your phone. Do I know the sender? Was I expecting the file? But what if it was just a photo—something amusing or attention-grabbing to keep or share? You can view the image within the messaging app, you can see what you’re getting, surely there’s no harm in saving it to your photo album?
If only that was the case. The fact is that a malicious image has the same capacity to damage your device and steal your data as a malicious attachment. The only difference is that it’s a more sophisticated attack, which makes it rarer. We saw the latest example of just such a threat this week, with Facebook confirming that it had patched an Instagram vulnerability disclosed by Check Point’s researchers, one involving a crafted image that could potentially hijack an entire account, maybe even piggyback on Instagram’s permissions to take-over a smartphone.
Facebook disputed Check Point’s claim that the malicious image which crashed Instagram could be used to take-over the smartphone itself, accessing the camera and microphone. Facebook told me that the worst case would be an account hijack, which seems bad enough in itself. And while Check Point claimed that just saving an image to a phone would trigger the attack, Facebook said a user would need to load the image into Instagram. Again, the fact that an image had been crafted as an attack tool was accepted. And that’s the point here.
Check Point’s POC attack was that an image would be messaged to a victim over a popular platform—iMessage, Android Messages or WhatsApp, and the content of the image would tempt the victim to save the photo to their device. It’s easily done—most of us do it all the time, even if just to share the image on a different platform, rather than forward the message we have received.
Check Point’s Ekram Ahmed told me that this should serve as a warning. “Think twice before you save photos onto your device,” he told me, “as they can be a Trojan horse for hackers to invade your phone. We demonstrated this with Instagram, but the vulnerability can likely be found in other applications.” That’s almost certainly the case—the issue was with the deployment of an open-source image parsing capability buried within the Instagram app. And that third-party software library is widely installed in countless other apps.
Sonatype, which specializes in helping developers make safe use of such open-source software libraries, told me that such components “make up 90% of any modern application, and not all of the components are created equal… While Check Point disclosed this issue responsibly and Facebook issued a patch, there may be thousands of other companies using a vulnerable version of [that] component. Now the race is on.”
If you were to receive a malicious image in one of your messaging or social media apps, then viewing it within the applications is almost certainly fine. The issue comes when you save that to the album on your internal phone’s storage or an external disk. We saw this last year, with WhatsApp and Telegram exposed to an Android vulnerability where images were saved to an external disk. That said, earlier this year, Google’s Project Zero team warned that the image handling by messengers themselves on iOS could be defeated when an unusual file type was handled.
But issues with mainstream apps can be fixed—and if you stick to hyper-scale messaging and social media apps, then they will address any such image handling vulnerabilities once disclosed. Simply put, those problems are with the apps and not the images, you trust the app to safely handle whatever content it displays. Once you move an image from outside this sandbox, so to speak, onto your own device, then the risk changes. What the apps won’t do, though, is clean images sent over their apps to remove threats should you save those images to your own device. Social media apps remove metadata, such as the location where the photo was taken, and compress the size of the image. But they do not screen for threats crafted into the image structure itself. SMS messaging apps do not even compress or strip metadata by default.
The ease by which a vulnerability can spread was highlighted in May, when an image shared on social media bricked certain Android devices if set as homescreen wallpaper. The issue was in the way the image handled its colours and interacted with the relevant code on the Android device. Again, there is no way such issues will be screened by the messaging or social media apps used to virally share such threats. There was no malicious intent with that particular image—but it tells you just how powerful a crafted image can be. “These types of attacks are usually carried out by nation-state actors or equivalent,” Check Point’s head of cyber research Yaniv Balmas told me.
Crafted cyber threats are not the only risks carried by the myriad images we now receive and then share. If we are to compromise ourselves or others by the content messaged to or from our phones, the likelihood is that it will be the images and videos we capture and share. And so the latest move by WhatsApp—now in development, to enable users to have media attachments disappear once viewed, is very welcome. This can be done in media apps such as Snapchat and Instagram, providing the same within a mainstream messenger should become the norm.
So, what’s the advice to stay safe? It’s remarkably simple. If you know the person and the camera—meaning you can tell they captured the sent photos with their own phone, then you’re fine to save whatever they send. You can do this over wireless sharing, like Apple’s AirDrop, or by iMessage or Android Messages to get full-resolution versions with metadata intact. You can also use WhatsApp or other “over-the-top” messengers, but those will likely compress the size of the photos and strip the location data from the files.
If you don’t know the sender that well, or if the image may have been forwarded from elsewhere or pulled from the internet or social media, then don’t save it to your device. It may look like a simple photo, but ultimately it’s a data file which you cannot vouch for. Similarly, if you receive images by social media message or in your feed that are not photos taken by someone you know, then leave them where they are.
For exactly the same reason, you must not set the permissions in any of your social media or messaging apps to automatically save images and videos to your phone. As ESET cyber guru Jake Moore warns, “simply being sent a file which automatically saves sounds dangerous by any means, but tends to be the norm for so many people. Saving images can be done retrospectively, which makes far more security sense—then you can choose as and when you know the images are safe from known senders.”
And that’s the key takeaway here—safe senders. But you also need to add safe content to that. The most powerful cyber weapons are those that hide in plain sight. It’s why serious threat actors focus on the mainstream apps they know will be found on almost all target devices. It’s why targeted spear-phishing wrapped in social engineering is so potent. And it’s why an image, which lulls a victim into thinking they can see the content and therefore can dismiss concerns there may be a threat, is something you need to protect yourself from.