Bypassing the patch for my previous Instagram bug.

Baibhav Anand
Nov 18, 2019 · 3 min read
Image for post
Image for post

Hello readers! In this article I will be sharing with you how I was able to get bounty twice with a single simple logic flaw breaking Instagram story with a single simple logic flaw breaking Instagram story restriction.

The bug was in Instagram stories, what exactly I could do was I could reply to Instagram stories even when the account owner had set the privacy of Allow message replies to "off".

Here are the details steps of reproduction for my first bug:

  1. Now while I am in the story, from a different phone I would send myself a WhatsApp message to get my keyboard popup during the story. (This step could be done by various other ways too)
  2. Now as soon as the keyboard pops up during the story, what I noticed was there was a reply box in the particular story.
  3. Now that there is a reply box, I could reply to the story with ease.

The way Facebook fixed this bug was that they no longer allowed the reply button to show up when the keyboard popped up during a story with replies disabled and they awarded me with a 3digit bounty.

Now how actually did I manage to bypass this fix?

  1. Opening the previous story on which replies were enabled so that the next story that will automatically show up would be the one with replies disabled.
  2. Now I would pop up the keyboard in that previous story and let the keyboard be on until the story would pass and the next story with replies disabled would show up.
  3. Now that my keyboard was already on and the story lead to the one with replies disabled, my keyboard would still be on and there was a reply button.
  4. Now that there was a reply option I could reply to the story again.

Now this time they implemented a server side fix that even if someone managed to reply to an Instagram story with replies disabled he/she will get an error that the message wasn’t sent. This time they awarded me with a 4digit bounty.

Lesson to learn:

Thank you for making it to the end of this article.

Leave me a follow: https://www.twitter.com/spongebhav

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Baibhav Anand

Written by

Baibhav@Medium:~$ whoami — A security noob here to share about some of his findings.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Baibhav Anand

Written by

Baibhav@Medium:~$ whoami — A security noob here to share about some of his findings.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store