This article is based on a logical bug find that I was able to discover while surfing Instagram. Not only it earned me Hall of Fame on Facebook, but it also gave me a different thinking perspective while doing bug bounty.
I don’t use Instagram much, but, one fine evening I thought of checking my Instagram account on my laptop. I decided to change the password as I hadn’t used Instagram for a long time. I went to settings and changed my password.
After I changed the password, I decided to test functionalities on the Settings tab to see if I will be to find a loophole or a bug. My eyes caught an option named “Authorized App.” I understood by its name that it should be listing the third-party app to which I may have given permission to access data. I clicked that option and there I found two tabs; Active and Expired. After I clicked the Active Tab I saw “TikTok” as an active authorized app.
The moment I saw TikTok as an authorized app, it surprised me because I had never created a TikTok account or integrated it on Instagram. Without a second thought, I tried to remove TikTok from the list. Surprisingly it gave an error message at the bottom left corner that displayed “there was a problem revoking access.”
I recognized that it was a logical bug and quickly reported it to Facebook for a fix. Facebook’s triage team acknowledged the issue and awarded me with bounty. In this way, a simple logical bug on Instagram earned me a bounty and Hall of Fame.
P.S — I would like to thank Mr. Ajay Gautam, Head of Security at Nassec, for helping me report the issue to Facebook.
Author — Jabir is an independent security researcher and a bug bounty hunter. As a security researcher, he has been inducted in Hall of Fame of Facebook. You can follow him on twitter @jabirkhan0x0.
Editor’s Note — We will be publishing write-ups related to cybersecurity every week. We are looking to grow our community. If you are interested in writing about cybersecurity, please email us at firstname.lastname@example.org.