How I was able to find page/personal account disclosure on Instagram

4 years ago 166
BOOK THIS SPACE FOR AD
ARTICLE AD

How I was able to find page/personal account disclosure on Instagram

This write-up is about how I was able to find page/personal account disclosure on Instagram.In my previous blog, I had written about Page admin disclosure and I had got much positive feedback on that blog. Since a lot of people were interested in such vulnerability exposures, I thought why not cover my new discoveries on a blog and share it with you people.

I was testing Instagram and Facebook integration features. If you are familiar with Instagram and Facebook page integration then I am sure you know that we can link our Instagram account to the Facebook page. We can also receive and send messages to Instagram users from the Facebook page. We are also familiar that the Facebook page assigned role in the message looks like below.

Image for post

Image for post

Facebook assigns conversation

While I was testing this Facebook message feature from Facebook, I was not able to get admin id in any way, but when I tried this from Instagram I was able to get admin id in the WebSocket response. When an Instagram message thread is assigned to a page admin from Facebook page inbox then a WebSocket message is sent to the Instagram account which discloses the ID of the assigned Facebook Page admin.

Going deep into this vulnerability. At first, I sent a message to the Instagram id where my Facebook page was linked.

Image for post

Image for post

When I viewed my message from the Facebook page, I could assign other admins to the conversation as shown in the figure below.

Image for post

Image for post

Instagram Message Assign Facebook

When I assigned an admin to the conversation then the assigned admin was leaked in the Instagram web socket response.

Image for post

Image for post

Page Admin Disclosure

Furthermore, it was not really hard to find which page was linked with that Instagram account. You could disclose page id linked with the Instagram account just by sending a GET request at https://i.instagram.com/api/v1/users/{id}/info/

Image for post

Image for post

The Instagram account linked with Facebook page

Timeline

Reported — Saturday, May 2, 2020

Triaged — Monday, June 8, 2020

Fixed — Tuesday, June 9, 2020

Bounty Awarded — Thursday, June 18, 2020

Image for post

Image for post

Bounty Awarded

I got a notification from Facebook that said that the issue had been patched. However, I wanted to check if the issue was patched or not. I came to know that the vulnerability that leaks Instagram account linked with the Facebook page still exists by sending a GET request to /api/v1/users/{id}/info/.

I quickly reported it on the same support inbox and the Facebook team replied back to me as-

Image for post

Image for post

After a few days, I got a reply from the Facebook team regarding the vulnerability fix, and another 2000$ bounty was awarded. In this way, I was awarded USD 55,00 in total for the vulnerability.

Triaged — Thursday, July 2, 2020

Bounty Awarded — Thursday, July 16, 2020 (2000$)

Image for post

Image for post

Total Bounty Awarded

Reference

https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520

Read Entire Article