How I found a Critical Bug in Instagram and Got 49500$ Bounty From Facebook
--
Hello everyone, I am Neeraj Sharma, a 20-year-old Security Enthusiast from India.
Description
Using this vulnerability the attacker could have changed the reel thumbnails of any Instagram user by knowing clips_media_id(Media ID of reel) of that user.
So How I Found This Bug — Storyline (without technicals)
I started hunting on the Instagram app in December 2021. Initially, I tested on Instagram Ads GraphQL API but after long hunting, when I could not find any bug there I started hunting on the Instagram reels section. After spending some time with the target I came to the point where users can edit their reels cover photo (thumbnail). For testing, I changed my reel thumbnail. I intercepted all the HTTP requests using burp and after forwarding some requests I saw the following HTTP request.
Vulnerable Endpoint:
POST /api/v1/media/configure_to_clips_cover_image/ HTTP/2
Host: i.instagram.com
Authorization: Bearer [REDACTED_TOKEN]clips_media_id=2763122193610496048&upload_id=2074071470030
Here are two main parameters:
clips_media_id
upload_id
clip_media_id is reels ID.
Upload_id is id of the photo which I want to insert on my thumbnail.
Send this request to the repeater and then replaced my clips_media_id with the media_id of my testing reel and forwarded the request to the browser. To my surprise, the unauthorized testing reel to which a user shall have never control of its thumbnail was changed.
I tried again with my different account and replace clips_media_id with my 2nd account reels media id. and instead of my 1st account reels, the thumbnail of the second account changed.
I was surprised as I did not expect such vulnerability in a subsidiary of a giant like META. I immediately reported it to Meta Security Team.
Impact:
This bug allowed malicious actor/s to change the thumbnail of any reels on Instagram. To perform this attack, only the Media ID of the target user’s reel was required.
Within the Triad of C-I-A, Integrity was violated and the Accessibility of the victim was totally disregarded by the actions of the attacker. Thus considering the 0 Interaction and the final analysis of the impact by the meta security ops. Meta team decided on this huge reward of $$$$$. In generic words, the malicious actor was able to forge thumbnails in any profile without any authorization or victim interaction. The impact was loud wide and around heterogeneous masses of Instagram Users.
Proof of concept:
PS: All testing was done on my testing accounts :)
SS
I would like to thank Meta Security Team for this huge bounty monetary reward 😊
Also Big Thanks to My friend Vatsal Vaishy for helping me in this write-up :)
Timeline:
31-Jan-2022: Report was sent
03-Feb-2022: Reply received Meta security team for more information
08-Feb-2022: Report triaged
11-May-2022 : Awarded 49500$ (45000$ Bounty + 4500$ Bonus) 🥳
