Description/Impact
An attacker could be able to access ad_account ID, owner of the ad account linked to the Instagram account. This could allowed for page admin disclosure in some situations.
IDs such as Ad Account ID are not considered sensitive information, unless you can disclose personal user information from it. In this case owner of the ad account was also leaked along with the ID of the ad account.
To perform this attack, only IGID of the targeted Instagram user was required.
Reproduction Steps
UserA is an attacker, UserB is the victim.
- UserA sends POST request to
i.instagram.com/api/v1/ads/graphql/with parametersoss_request_format=true&query_id=47562***********&query_params={"query_params":{"access_token":"","id":"USER_ID"}}
Where USER_ID is IGID of UserB. - The response of above request contains ad_account_id, owner of ad account (Facebook User).
- UserA finds Facebook page linked to the UserB’s Instagram account.
More info - Now UserA has info of Facebook Page & Facebook Account(Name) linked to the UserB’s Instagram account.
Meta Security team initially misunderstood this report and closed as Not Applicable.
After requesting review, they reopened the report.
Timeline
24 September 2021 (20:47) : Report Sent
25 September 2021 (00:56) : Report closed as NA
1 November 2021 : Closed as Informative (After few replies)
25 December 2021 : Review Requested
4 January 2022 : Report reopened
18 January 2022 : Bounty Awarded