Hi, few months ago I’ve found vulnerability on Instagram that allow me to steal status so How I found this issue lets start the story.
so when I was new to hunting it was my dream to report a valid security issue to Facebook so after a month I decided to hunt on Facebook in hope of getting a valid bug 🙂
at that time I don’t know about recon that much so I stated with reading the write ups to learn what kind of bugs were accepted by Facebook and I found that all bugs are disclosing page admin and some other information so basically all were logical bugs and information disclosure about page admin etc..
I started hunting bugs that were logical and they must disclosed information about admin or private account and I reported several bugs some were closed as N/A and some were informative and after 5-6 days I found first valid bug on Facebook and it was closed as duplicate and at that time seriously I am very happy that I found my first valid bug on Facebook .
during those days I posted a status on my Instagram (@theamanrawat) and I thought why not try to hunt on android app so I started with reading disclosed bugs on hackerone and I found a report in which the database of that app is getting stored in internal storage . Their is a location in Internal Storage of your android device for each application that were installed on your android device and in some cases you will find the local SQL lite database of android apps in that location and in some cases files will be different as per the apps behavior so I went to the internal location of Instagram app in the hope of getting database and I didn’t find the database obviously but their was something different.
I saw that they saved my status that I had uploaded previously on my Instagram but I had uploaded an image as my status with some text and only the text was saved as image so I confirmed this vulnerability by posting another text status and other types of status such as video, live video and etc…
but only the text part was saved as image so now it’s a time to exploit so i created an android application that takes image from the Instagram’s app folder which was located at this location
Internal Storage > android > data > com.instagram.android > files > decors > status.jpg
in the above location status.jpg is my status so my app takes this image and convert it to base64 and then send the base64 encoded data to my server and then my server will decode this base64 to image and then saved it on my server in such way I can easily steal status.
I reported this bug to Facebook on August 17, 2019 and after some further investigation then fixed this issue on April 27, 2020 and this is How my bug got accepted after too many try.
Moral of this is that never lose hope.
Thanks for reading.
Instagram :- https://instagram.com/theamanrawat
Twitter :- https://twitter.com/theamanrawat