Your destination for complete Tech news

How I was able to find page/personal account disclosure on Instagram

437 0
How I was able to find page/personal account disclosure on Instagram
3 min read

This write-up is about how I was able to find page/personal account disclosure on Instagram. In my previous blog, I had written about Page admin disclosure and I had got much positive feedback on that blog. Since a lot of people were interested in such vulnerability exposures, I thought why not cover my new discoveries on a blog and share it with you people.

I was testing Instagram and Facebook integration features. If you are familiar with Instagram and Facebook page integration then I am sure you know that we can link our Instagram account to the Facebook page. We can also receive and send messages to Instagram users from the Facebook page. We are also familiar that the Facebook page assigned role in the message looks like below.

Image for post

While I was testing this Facebook message feature from Facebook, I was not able to get admin id in any way, but when I tried this from Instagram I was able to get admin id in the WebSocket response. When an Instagram message thread is assigned to a page admin from Facebook page inbox then a WebSocket message is sent to the Instagram account which discloses the ID of the assigned Facebook Page admin.

Going deep into this vulnerability. At first, I sent a message to the Instagram id where my Facebook page was linked.

Image for post

When I viewed my message from the Facebook page, I could assign other admins to the conversation as shown in the figure below.

Image for post

When I assigned an admin to the conversation then the assigned admin was leaked in the Instagram web socket response.

Image for post

Furthermore, it was not really hard to find which page was linked with that Instagram account. You could disclose page id linked with the Instagram account just by sending a GET request at https://i.instagram.com/api/v1/users/{id}/info/

Image for post

Timeline

Reported — Saturday, May 2, 2020

Triaged — Monday, June 8, 2020

Fixed — Tuesday, June 9, 2020

Bounty Awarded — Thursday, June 18, 2020

Image for post

I got a notification from Facebook that said that the issue had been patched. However, I wanted to check if the issue was patched or not. I came to know that the vulnerability that leaks Instagram account linked with the Facebook page still exists by sending a GET request to /api/v1/users/{id}/info/.

I quickly reported it on the same support inbox and the Facebook team replied back to me as-

Image for post

After a few days, I got a reply from the Facebook team regarding the vulnerability fix, and another 2000$ bounty was awarded. In this way, I was awarded USD 5,500 in total for the vulnerability.

Image for post

Triaged — Thursday, July 2, 2020

Bounty Awarded — Thursday, July 16, 2020 (2000$)

You can reach at twitter https://twitter.com/evilboyajay

Reference

https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520

Leave A Reply

Your email address will not be published.

5 × 4 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.