Skip to main content

Instagram Bug : $$$$ Mention Bypass | Facebook Bug Bounty

I was testing with the Instagram Lite App. There is major difference in the APIs of the Instagram APp and the Lite App.  

Bugs were found by other bug hunters in the Facebook and its Lite Version. So I gave a try to the Insta.

I was mainly concerned about the privacy of other users, like invading into their privacy and something I enjoy doing. We also love invading into other people private life right? Like who they dated and also love to read their personal messages.

In the Instagram App

There is Mentions in the Privacy settings of Instagram that have options like:

No One.

Only followers etc.

When the User has set the mentions to No one then any user cannot tag them in the comments of other posts across Insta.

But in the Instagram Lite app, You can directly enter the user name of the user and just post the comment. I tags that account.



Rewarded $500 , 25 days later since reporting the bug

Comments

  1. Unknown10 May 2021 at 02:37

    Hello; it is still reproducible; I've got a bypass. Can we contact?

    ReplyDelete

Post a Comment

Popular posts from this blog

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form was sent. (Hurdle 2). I analysed the requests f
1 comment
Read more

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500
Post a Comment
Read more

Facebook Messenger bug. React to any message on behalf of a Facebook Page

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway
1 comment
Read more