How I was able to find a logical bug on Instagram?

jabir khan
Dec 13, 2019 · 2 min read

This article is based on a logical bug find that I was able to discover while surfing Instagram. Not only it earned me Hall of Fame on Facebook, but it also gave me a different thinking perspective while doing bug bounty.

I don’t use Instagram much, but, one fine evening I thought of checking my Instagram account on my laptop. I decided to change the password as I hadn’t used Instagram for a long time. I went to settings and changed my password.

Image for post
Image for post

After I changed the password, I decided to test functionalities on the Settings tab to see if I will be to find a loophole or a bug. My eyes caught an option named “Authorized App.” I understood by its name that it should be listing the third-party app to which I may have given permission to access data. I clicked that option and there I found two tabs; Active and Expired. After I clicked the Active Tab I saw “TikTok” as an active authorized app.

The moment I saw TikTok as an authorized app, it surprised me because I had never created a TikTok account or integrated it on Instagram. Without a second thought, I tried to remove TikTok from the list. Surprisingly it gave an error message at the bottom left corner that displayed “there was a problem revoking access.”

Image for post
Image for post

I recognized that it was a logical bug and quickly reported it to Facebook for a fix. Facebook’s triage team acknowledged the issue and awarded me with bounty. In this way, a simple logical bug on Instagram earned me a bounty and Hall of Fame.

P.S — I would like to thank Mr. Ajay Gautam, Head of Security at Nassec, for helping me report the issue to Facebook.

Author — Jabir is an independent security researcher and a bug bounty hunter. As a security researcher, he has been inducted in Hall of Fame of Facebook. You can follow him on twitter @jabirkhan0x0.

Editor’s Note — We will be publishing write-ups related to cybersecurity every week. We are looking to grow our community. If you are interested in writing about cybersecurity, please email us at blog@nassec.io.

Infosec Daily

All things Infosec.

jabir khan

Written by

Infosec Daily

From tool reviews to the latest hacking news, from regular updates in the industry to educational tutorials. Infosec is here to take care of all your questions regarding Cyber Security. Infosec is an enterprise launched by nassec.io.

jabir khan

Written by

Infosec Daily

From tool reviews to the latest hacking news, from regular updates in the industry to educational tutorials. Infosec is here to take care of all your questions regarding Cyber Security. Infosec is an enterprise launched by nassec.io.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store