I Can Crash Anyone’s Instagram Post - Zero Day-Permanent DoS | Meta | BugBounty | 2024

Intro And Story:

Hey HaMckers, I’m Prathap, here’s one of my recent Critical Zero-Day on Instagram Meta, It was just another evening for me, diving into my usual routine — PC on, eat, sleep, and dig deep into my systems, then repeat. I was testing Instagram’s functionalities while watching the movie. As the movie was heating up , so was my testing.

I was Suspicious And noticed something unusual in the comment function. While uploading a GIF, I noticed that the GraphQL request included a comment_text parameter. My thought was, "Why? Literally, Why would a GIF upload need a comment_text parameter?" interesting…!, It seemed odd, After some experimentation, I realized that by altering certain inputs, I could trigger a crash.

Within seconds, boom! “No need for any further testing — straight PoC” I discovered that this small oversight allowed me to crash any post on Instagram permanently. This wasn’t just a minor glitch — it was a fully developed vulnerability that allowed me to crash any post on Instagram permanently, making it completely inaccessible and causing a permanent denial of service (DoS).

And yes, that includes crashing the comment section on any user’s post, even Mark Zuckerberg’s.

Description :

The Instagram Comment session allows an attacker to crash any user’s comment session by uploading a GIF and modifying the request `comment_text`. Here the vulnerability is While commenting on a GIF, Instagram’s GraphQL API unnecessarily includes a comment_text parameter—something that shouldn’t be present. By exploiting this, including the Vale into the parameter, an attacker can crash the comment session of any Instagram post.

This crash isn’t just temporary — it’s permanent Crash. The targeted comment session becomes inaccessible not only to the victim but also to any other user attempting to view it. This vulnerability allows an attacker to crash the comment session of any user (e.g., high-profile individuals like Cristiano Ronaldo, Mark Zuckerberg, etc.). Whenever anyone tries to comment on the victim’s post, it will crash, resulting in a permanent denial of service DoS for that comment thread.

Impact:

An attacker can permanently crash a victim’s comment session, leading to a permanent denial of service (DoS). The victim will no longer be able to view or interact with the affected comment thread. The vulnerability can target any user, including high-profile individuals like (cristiano ronaldo, Mark Zuckerberg, and others) any user — famous or not — and anyone attempting to interact with the post’s comments will experience app crashes. The app will freeze and stop working whenever the comment thread is opened, making the post and its comments entirely inaccessible.

Scenario:

Let’s paint a picture:

User B (Mark Zuckerberg) uploads a new post on Instagram.User A (the attacker) exploits the vulnerability by uploading a GIF And Modify comment_text parameter.Now, no one — not even Mark Zuckerberg — can access the comment section on that post.Random users (User C) trying to interact with the comments will face the same issue: their app will crash whenever they try to open the comment thread.

Zuck, in this case, will have no idea what’s causing the crash and won’t be able to delete the comment or interact with the post in any way.

Proof of Concept:

Users: UserA (attacker), UserB (targeted victim), UsersC (Random Users)
App: Instagram Android and Instagram IOS latest version.

POST /api/v1/media/34xxxxxxxxxxxxxxx81/comment/ HTTP/2
Host: i.instagram.com

signed_body=SIGNATURE.{”gif_params”:”{\”gif_media_id\”:\”C5oD3WouufnWORp7wP\”,\”is_sticker\”:false}”,button:1722254373.109::,UserDetailFragment:profile:18:search_result:1722254498.180::,ProfileMediaTabFragment:profile:19:button:1722254498.905::,ContextualFeedFragment:feed_contextual_profile:20:button:1722254500.838::,CommentThreadFragment:comments_v2_feed_contextual_profile:21:button:1722254501.992::”,”comment_text”:”xxxx”is_carousel_bumped_post”:”false”,”container_module”:”comments_v2_feed_contextual_profile”,”feed_position”:”1"}

As soon as the victim opens the comment session, their app will crash. The victim will not be able to delete the comment.The Gif Comment Looks Like — From Pc Interface

This affects the latest versions of Instagram on iOS and Android.

Video POC :

Steps to Resolve

The attacker needs to delete their own comment.The user needs to delete the comment from the PC web interface. (It is not possible to find the Vulnerable Comment)

Affected Users — Literally Everyone on Instagram

The consequences of this vulnerability include:

The victim (e.g., Zuck) will experience repeated crashes when attempting to access their post’s comments.Other users will find their Instagram app freezing and crashing, rendering it unusable for around two minutes before restarting.The malicious comment remains active until manually removed.Done..!