Using Browser Tools For Bug Hunting: An Interesting 0$ Write IDOR On Instagram
I’ve been crazy for hacking Instagram, trying hard to get a valid bug and one day as I observed: Instagram app provides more account & app options to the user on mobile as compared to a user browsing on desktop. This scratched my brain, and uh oh! I smashed the fn + F12 on my browser while being signed in to my instagram. This opened the infamous browser developer tools and I toggled the device toolbar to switch my browser to simulate a mobile view. And the story begins…
An Insecure Direct Object Reference (IDOR) arises when arbitrary data entered from user is processed in an unsafe way without integrity check.In this case, while I was testing instagram application, I found that a user has the option to report bugs to instagram in profile settings. However the POST request contains a user_identifier parameter which contains Profile User ID of an instagram user which can unfortunately be tampered, to resemble any other user account and submit report on their behalf.
The reproduction steps were easy peasy:
Users: [Just an Instagram account is required]
Environment: [Tested on Mozilla firefox: with pagination changed to iOS iphone 11]
Browser: [Firefox]
OS: [iOS]
- Goto Profile Settings in Instagram ( Make sure in developer options you’ve set the resolution to Mobile Phone.
- Click on circular setting options
- Click Report Bug
- Type anything and capture the POST request to Graph.facebook.com
- Tamper the user_identifier parameter to resemble any valid user’s user_identifier (This can be fetched easily from visiting a user’s profile)
And guess what, I submitted it to Meta, and the reply was:
RIP Integrity from the CIA triad.
Thats it for this blog guys, have a great day.
