This bug is categorised as IDOR.
We all share Instagram reels with our friend via DM.
Did you every try "Copy link" and share on mediums like WhatsApp or any similar apps ?
When you do that, the generated Link would be of the below URL
https://www.instagram.com/reels/<REEL_ID>?igsh=<Encrypted>
The igsh in the Query params of URL is an encrypted string, that would get decrypted on the Instagram servers to the User's Profile ID.
On clicking on the link, it would open the Instagram App and plays the reel and then an interruption will be by a popup like the below screenshot
The Attack... Crafting the URL...
If you replace the <Reel_ID> (What the user intended to share) with a <Granphically_Sensitive_Content_REEL_ID> in the link and send it to users, when ever any user opens the link. It would show graphically sensitive content and then a Popup of the victim's profile. Though they didn't intend to share it.
Report timeline
12th Sept, 2024 - Initial Report
1st Dec, 2024 - Sent to the Product team for the Fix.
4th Dec, 2024 - Rewarded with a bonus for the delay
Comments
Post a Comment