Media deletion CSRF vulnerability on Instagram
bounty
bug
bugbounty
critical
CSRF
exploit
facebook exploit
instagram
privacy
vulnerability
No comments
No comments
Media deletion CSRF vulnerability on Instagram
I noticed a copyright section has been added to instagram. whenever a user violated another person copyright, a notification will be shown to delete or request an appeal for the media.
After uploading a video containing a music I faced with copyright
It was interesting to me, so I started digging into it.
It was possible to delete media by a GET request
Vulnerable Endpoint: https://www.instagram.com/media/{MEDIA_ID}/copyright/dismiss_am/
The MEDIA_ID is a {story_id or post_id} that will be deleted
Opening the malicious link within the both Instagram app or web cause media deletion in the victim's account.
Android POC: Remove story CSRF in android
Web POC: Remove post CSRF in web
Impact:
Timeline:
January 29, 2019 – Report Sent
January 29, 2019 – Triaged
January 30, 2019 - Permanent fix
February 14, 2019 $3,000 Bounty awarded