Hello readers! In this article I will be sharing with you how I was able to get bounty twice with a single simple logic flaw breaking Instagram story with a single simple logic flaw breaking Instagram story restriction.
The bug was in Instagram stories, what exactly I could do was I could reply to Instagram stories even when the account owner had set the privacy of
Allow message replies to "off".
Here are the details steps of reproduction for my first bug:
- Firstly what I would do was open the Instagram story of which replies were disabled.
- Now while I am in the story, from a different phone I would send myself a WhatsApp message to get my keyboard popup during the story. (This step could be done by various other ways too)
- Now as soon as the keyboard pops up during the story, what I noticed was there was a reply box in the particular story.
- Now that there is a reply box, I could reply to the story with ease.
The way Facebook fixed this bug was that they no longer allowed the reply button to show up when the keyboard popped up during a story with replies disabled and they awarded me with a 3digit bounty.
Now how actually did I manage to bypass this fix?
Since this was a just a UI based fix, a part of me knew this was still vulnerable and all I had to do was to find a way to pop up the keyboard again and get the reply button to show up again. I tried various ways but none of them seemed to work until I did this:
- Opening the previous story on which replies were enabled so that the next story that will automatically show up would be the one with replies disabled.
- Now I would pop up the keyboard in that previous story and let the keyboard be on until the story would pass and the next story with replies disabled would show up.
- Now that my keyboard was already on and the story lead to the one with replies disabled, my keyboard would still be on and there was a reply button.
- Now that there was a reply option I could reply to the story again.
Now this time they implemented a server side fix that even if someone managed to reply to an Instagram story with replies disabled he/she will get an error that the message wasn’t sent. This time they awarded me with a 4digit bounty.
Lesson to learn:
- When your bug gets fixed try to bypass the fix and check if the fix was a complete fix, sometimes the security guys can be lazy to implement a complete fix from every aspect that the bug could be reproduced.
Thank you for making it to the end of this article.
Leave me a follow: https://www.twitter.com/ibaibhavjha