Description:
GraphQL execution errors should not disclose sensitive information, including the entire GraphQL query with fragments, to the client. By default, GraphQL returns an error response with a standardized error format that includes a message and an optional set of error locations in the query.
This error response should be used to provide useful error messages to the client without revealing any sensitive information.
However, when we pass a valid doc_id without any variables in request body of instagram.com/graphql/query, it produces errors. The error shows actual GraphQL query/mutation(with fragments) behind that doc_id.
Impact:
It was possible to disclose actual GraphQL query/mutation with fragments behind a doc_id & other Information.
Although we can predict a GraphQL query/mutation from the response but actual GraphQL query/mutation with fragments can not be predicted from the response.
Vulnerable Endpoint
POST /graphql/query HTTP/2 Host: www.instagram.com doc_id=17*************
Also it was possible to extract variables or query parameters required for that doc_id. But we can pass only limited doc_ids.
Timeline
2 January 2023 : Report sent
13 January 2023 : Sent for further investigation(Report status still New)
13 February 2023 : Fixed
13 February 2023 : $$$$ Bounty Awarded(Including league & time bonus)