Skip to content

Disclose Facebook Page linked to the Professional Instagram Account (NA)

Facebook page linked to the Professional(Business/Creators) Instagram Account can be disclosed.

Reproduction Steps

  1. Send POST request to i.instagram.com/api/v1/ads/graphql/ with parameters
    access_token=null&variables={"query_params":{"access_token":"","id":"MEDIA_ID"}}&doc_id=37XXXXXXXXXXXXXX
  2. Send POST request to i.instagram.com/api/v1/ads/graphql/ with parameters
    access_token=undefined&variables={"query_params":{"id":"MEDIA_ID"}}&doc_id=3054671091225282
  3. Where MEDIA_ID is ID of post or story or reel of targeted user.
    Profile Pic Media ID is also sufficient if the targeted user has no posts.
  4. In the response of above requests, Facebook Page ID linked to the Professional Instagram Account disclosed.

Reply from FB Security Team,

Hi Mayur,


In this case, the issue you’ve described is actually just intended functionality and therefore doesn’t qualify for a bounty.


The Facebook page to Instagram connection is not private and can be seen in various features such as Ad Library: https://www.facebook.com/ads/library/?active_status=all&ad_type=all&country=US&view_all_page_id=[PAGE_ID]&search_type=page


Thank you for contacting us, and please let us know of any security issues you discover in the future.


Thanks,
◼◼◼◼◼
Security

Timeline

26 April 2021 : Report Sent
28 April 2021 : Intended functionality. Report closed by Facebook