Monday, December 9, 2019

Media deletion CSRF vulnerability on Instagram


  No comments

Media deletion CSRF vulnerability on Instagram



I noticed a copyright section has been added to instagram. whenever a user violated another person copyright, a notification will be shown to delete or request an appeal for the media.

After uploading a video containing a music I faced with copyright
It was interesting to me, so I started digging into it.

It was possible to delete media by a GET request

Vulnerable Endpoint: https://www.instagram.com/media/{MEDIA_ID}/copyright/dismiss_am/

The MEDIA_ID is a {story_id or post_id} that will be deleted

Opening the malicious link within the both Instagram app or web cause media deletion in the victim's account.


Android POC: Remove story CSRF in android


Web POC: Remove post CSRF in web



Impact:
User could be tricked into deleting content they had posted on Instagram.




Timeline:
January 29, 2019 – Report Sent
January 29, 2019 – Triaged
January 30, 2019 - Permanent fix
February 14, 2019   $3,000 Bounty awarded