How a Simple Bug Could Have Taken Down Your Instagram Tags

Hey everyone! I wanted to share a recent finding of mine — a vulnerability in Instagram’s tagging functionality that could have led to a denial of service (DoS) condition for users. I’ve already reported this to Meta, and they’ve implemented a fix. Let’s dive into the technical details and see what we can learn from it.

What are Tags on Instagram?

Just a quick refresher: Instagram allows users to tag each other in posts, which creates a link to their profile and sends them a notification. It’s a core feature for giving credit, acknowledging presence, and connecting with others on the platform.

Uncovering the Vulnerability.

I was testing the Instagram Android app, focusing on the tagging feature, and using Burp Suite to intercept and modify requests. I noticed a parameter called “categories” within the tagging request (POST /API/v1/media/your_id/edit_media/). This parameter seemed to be related to the profile category of the tagged account (e.g., “Business,” “Public Figure”).

Curious, I started manipulating this parameter. Initially, I simply changed its value to a random string, and to my surprise, I was able to tag someone with a fabricated category. This unexpected behavior hinted at a potential issue.

To explore further, I sent an extremely large string (around 8MB) as the value for the “categories” parameter. And it worked! There was no input validation or character limit in place.

The consequence? When I logged in as the tagged account, their “Tags” section failed to load. This meant an attacker could effectively prevent users from accessing and managing their tags — a classic DoS scenario.

Further testing revealed that if the victim had enabled the option to manually approve tags, the “Pending Tags” section would also crash. This prevented the victim from reviewing and approving legitimate tags, and since they couldn’t reject the malicious tag either, there was no way for them to self-mitigate the issue.

Impact

This vulnerability could have been exploited to disrupt the user experience for any Instagram user, hindering their ability to engage with a core feature of the platform.

Tools and Techniques

For those interested in Instagram Android app testing, this tool was helpful for bypassing SSL pinning: https://github.com/Eltion/Instagram-SSL-Pinning-Bypass

Key Takeaway

This vulnerability highlights how even seemingly minor features, like tagging, can have hidden complexities that lead to security flaws. It underscores the importance of thorough testing, especially focusing on edge cases and unexpected inputs.

A key takeaway for fellow bug hunters is to always consider character limits and input validation, even for parameters that aren’t immediately visible. Don’t assume any limitations are in place!

Finally, this finding is a reminder that vulnerabilities can exist anywhere, even in widely used applications like Instagram. It encourages us to keep exploring, learning, and pushing the boundaries of security testing. You never know what you might find!

Timeline

Thanks for reading!