How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it.
Let me start the article by introducing myself, I am Waleed Ahmed, a 16 year old boy from Pakistan. So, last December I found a vulnerability in Instagram's android app by which I was able to remotely crash any Instagram android user’s app instantly just by just sending a simple message. The vulnerability didn’t even require the victim to even open the message. Let me go through how was I able to discover the bug.
One day, I was just scrolling through some of my old chats in my DM folder. I found that in one particular chat with one person, If I tried to scroll up in the chat, the app immediately crashed. I guessed that some message was causing the the app to crash on the new android Instagram app version. In order to find and view the message, I downloaded an older version of the android instagram app. On this version, I was able to scroll normally and view the message that was causing my app to crash. The message was 40 emojis with a space between any of the two emojis. I tried sending this message from my old instagram app to other accounts controlled by me and in every case, it instantly crashed the app. I tried it on multiple android phones and it worked all the time. Furthermore the vulnerability also allowed me to do the following things:
1: Making previous messages between the attacker and victim inaccessible. when an attacker sends the attack message to the victim. All the previous messages between the attacker and victim will become inaccessible to the victim and he will not be able to see the messages.
2: Making the message requests folder of a celebrity or a normal person inaccessible by sending the celebrity a message request containing the emojis. when an attacker sends this message to any user that has not followed him/her, the message will go into the message requests folder of the victim. When the victim will try to open his/her message requests folder, the message requests folder will get stuck on the loading icon.
3: Making the entire DM folder of a user inaccessible. This happens when the user logs in after the attacker has sent the message. This causes the instagram DM folder to never load and it is stuck on the loading icon.
I had tested all of these things personally and I had reported them in my Facebook bug report.
28 November: Initial Report
1 December: Facebook staff creates an instagram account for me to demonstrate the bug
6 December: Acknowledgement of bug.
14 December: Bug fixed.
20 December: Bug bounty of 500$ issued.
20 December: I write a follow up asking if the bug bounty correctly reflects the impact of the bug.
22 December: Facebook replies that they have determined that this is the appropriate bounty for this bug
Here is my conversation with one of the Facebook staff member who created an account for me to demonstrate the bug.
I don’t think that a bug with an impact of this magnitude deserves a mere bug bounty of 500$. Consider some bots sending millions of these messages to millions of instagram users, disrupting the usage of instagram app for those millions of users. I think Facebook should award its researchers more fairly.