How I was able to find page/personal account disclosure on Instagram

How I was able to find page/personal account disclosure on Instagram

This write-up is about how I was able to find page/personal account disclosure on Instagram.In my previous blog, I had written about Page admin disclosure and I had got much positive feedback on that blog. Since a lot of people were interested in such vulnerability exposures, I thought why not cover my new discoveries on a blog and share it with you people.

I was testing Instagram and Facebook integration features. If you are familiar with Instagram and Facebook page integration then I am sure you know that we can link our Instagram account to the Facebook page. We can also receive and send messages to Instagram users from the Facebook page. We are also familiar that the Facebook page assigned role in the message looks like below.

While I was testing this Facebook message feature from Facebook, I was not able to get admin id in any way, but when I tried this from Instagram I was able to get admin id in the WebSocket response. When an Instagram message thread is assigned to a page admin from Facebook page inbox then a WebSocket message is sent to the Instagram account which discloses the ID of the assigned Facebook Page admin.

Going deep into this vulnerability. At first, I sent a message to the Instagram id where my Facebook page was linked.

When I viewed my message from the Facebook page, I could assign other admins to the conversation as shown in the figure below.

When I assigned an admin to the conversation then the assigned admin was leaked in the Instagram web socket response.

Furthermore, it was not really hard to find which page was linked with that Instagram account. You could disclose page id linked with the Instagram account just by sending a GET request at https://i.instagram.com/api/v1/users/{id}/info/

Timeline

Reported — Saturday, May 2, 2020

Triaged — Monday, June 8, 2020

Fixed — Tuesday, June 9, 2020

Bounty Awarded — Thursday, June 18, 2020

I got a notification from Facebook that said that the issue had been patched. However, I wanted to check if the issue was patched or not. I came to know that the vulnerability that leaks Instagram account linked with the Facebook page still exists by sending a GET request to /api/v1/users/{id}/info/.

I quickly reported it on the same support inbox and the Facebook team replied back to me as-

After a few days, I got a reply from the Facebook team regarding the vulnerability fix, and another 2000$ bounty was awarded. In this way, I was awarded USD 55,00 in total for the vulnerability.

Triaged — Thursday, July 2, 2020

Bounty Awarded — Thursday, July 16, 2020 (2000$)

Reference

https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520