Introduction
Instagram, launched in October 2010, is a widely used social media platform recognized for its emphasis on sharing photos and videos. Users create profiles to engage with a global audience, sharing visually compelling moments. Over time, Instagram has evolved with features such as Stories, IGTV, and Reels, transforming into a dynamic hub for creative expression, self-discovery, and social connectivity. Instagram is owned by Meta, the parent company of various prominent social media platforms.
The finding
In 2018, Instagram introduced the ‘IGTV’ feature, enabling users to watch long-form, vertical videos from their favorite creators. However, a High vulnerability in the IGTV feature, specifically an Insecure Direct Object Reference (IDOR) bug, surfaced. This flaw allowed attackers to add descriptions to posts of other users that were missing one.
Key Exploitation Details
- The attacker can add descriptions to posts lacking one.
- The exploit is effective across all post types, including photos, videos, and IGTV posts.
- Limited to public accounts, requiring the attacker to have visibility of the victim’s posts for successful execution.
Reproduction Steps
- Upload and edit an IGTV video from the attacker’s account.
- Intercept the editing request using Burpsuite
POST /media/1887820989027383407/edit/
caption=<your_post_description_here>&publish_mode=igtv&title=test
- (Replace “1887820989027383407” with the attacker’s media ID, and set the desired description with
caption=<your_post_description_here> - Obtain the media ID of a victim’s post without a description.
- Replace the attacker’s media ID in the intercepted request with the victim’s media ID.
- Submit the modified request to trigger an Internal Server error with the message “Oops, an error occurred.”
- Despite the error, refresh the victim’s post page to verify the successfully added description by the attacker.
Why this Bug Poses a Severe Threat
- Wide User Exposure:
- Millions of Instagram users have public profiles, increasing the scope of vulnerability across a substantial user base.
- Pervasive Lack of Descriptions:
- Many public accounts have posts without descriptions, making the bug applicable to a vast number of accounts.
- Targeting High-Profile Users:
- The bug allows malicious actors to target high-profile individuals, such as celebrities like Mark Zuckerberg and Lionel Messi, who have millions of followers.
- Potential for Media Exploitation:
- In the wrong hands, this bug could be exploited for sensational media coverage by targeting celebrities, leading to significant public attention and potential reputational damage.
- Inter-Company Conflict:
- Malicious use of the bug could create conflicts between prominent companies or public figures, amplifying tensions or disputes, such as between competitors like Apple and Samsung.
- Amplification Through Social Media:
- Exploiting the bug on influential accounts could cause a ripple effect, spreading misinformation or creating controversies that gain widespread attention through social media platforms.
- Social Engineering Opportunities:
- The bug opens avenues for social engineering attacks, as attackers could manipulate public perception, exploit trust, or engage in identity-related fraud.
- Potential Legal and Privacy Issues:
- Unauthorized manipulation of high-profile accounts raises serious legal and privacy concerns, potentially leading to legal action against the platform and impacting user trust.
- Reputation Damage and Trust Erosion:
- Targeting individuals with large followings can damage their reputation and erode trust in the Instagram platform, affecting user confidence and engagement.
In summary, the combination of the bug’s widespread applicability, potential for high-profile targeting, and the resulting social, legal, and reputational consequences underscores its severe and far-reaching implications.
Timeline
- Sarmad | August 6, 2018
- Initial Bug Report
- Meta Bug Bounty | August 14, 2018
- Report Triaged
- Meta Bug Bounty | August 15, 2018
- Bug Successfully Fixed
- Sarmad | August 15, 2018
- Fix Confirmed
- Meta Bug Bounty | October 10, 2018
- Bounty Awarded