.png)
3 years ago
185 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello all, I'm Naveen 18 year old Cyber Security Enthusiast. Today I’m gonna share a story about how I was able to retrieve any Targeted Instagram user’s Archived stories.
If you want to connect with me here are my socials: @Instagram @Twitter
Methodology:
While hunting for bugs on Instagram my main goal was to exploit a ads/graphql Endpoint why? because this endpoint was vulnerable a lot of times earlier so I thought why not look for it.
Description:
Somehow luckily I found the endpoint ads/graphql ngl it took some time to find it.
And the first thing I did was to look for IDOR and BINGO!! it was vulnerable to IDOR.
Expected Behaviour:
The endpoint is supposed to show the archived stories of a user/actor when it gets Triggered.
Impact:
This bug could’ve let a Malicious counterpart retrieve all archived stories of a targeted Instagram account just by replacing the user-id parameter with the victim user-id.
Steps To Reproduce:
send a request to api/v1/ads/graphql with parameters
surface=story_grid&doc_id=3271888199508091&locale=en_GB&vc_policy=insights_policy&signed_body=SIGNATURE.&strip_nulls=true&strip_defaults=true&query_params={"count":15,"cursor":"0","timeframe":"LIFETIME","searchBase":"USER","promoteEligibility":"ELIGIBLE","trackingCondition":"CREATED_BEFORE_TRACKING_INCLUDED","is_user":"true","queryParams":{"access_token":"","id":"[USERID"]}}Now just replace the id param with the target user id that’s it, you will have access to all the target users' archived stories.
Response:
Timeline of Report:
Initial report: 23 June 2021
Facebook Response: 25 June 2021
Asked for more info discussion been till 3 weeks and I was getting updates from them, their last reply was on 29th of June :/
State changed to Duplicate: 7 July 2021
RIGHT PLACE WRONG TIME :)
Follow me on my socials for more write-ups @instagram @twitter.
Bengali (Bangladesh) · 
English (United States) ·