Description
This bug could have allowed a malicious user to access archived Instagram media by using Media ID. Both Public & Private Instagram users were affected by this bug.
For public users, no follow/following relationship required but for private Instagram users, attacker must follow the private account to access the archived media.
Impact
Archived medias are only accessible to the owner of that media. But an attacker could access the archived medias of other Instagram users.
How to get Media ID?
- Google Dork
- By brute forcing Media IDs
How to validate media is archived or not?
Initially, Attacker stores all the valid responses from the Ads GraphQL endpoint with Media ID, Owner ID, Display URL and other details.
Attacker sends GET request tohttps://i.instagram.com/api/v1/media/[MEDIA_ID]/info/
Where MEDIA_ID is media ID retrieved from above process.
The “400 Bad Request” response confirms its a valid archived media.
Vulnerable Endpoint
POST /api/v1/ads/graphql/ HTTP/2
Host: i.instagram.com
User-Agent: Instagram 202.0.0.37.123 Android (XXXXXXXXXXXXXX)
Accept-Language: en-IN, en-US
Authorization: HIDDEN
Ig-Intended-User-Id: XXXXXX
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
X-Fb-Http-Engine: Liger
X-Fb-Client-Ip: True
X-Fb-Server-Cluster: True
doc_id=XXXXXXXXXXXX&locale=en_US&query_params={"query_params":{"access_token":"","id":"[MEDIA_ID]"}}I reported 2 doc_ids, after that found another 2 different doc_ids but instead of reporting them, I waited for the fix and after the patch everything was fixed(may be root-cause was the same).
Now this issue has been fixed by Instagram.
Timeline
9 September 2021 : Report sent
20 September 2021 : Report Triaged
4 October 2021 : Fixed (Fixed within 2-3 days but they sent the confirmation later)
3 November 2021 : Bounty Awarded