Hassan Saayed

Published On: 29 Apr 2021

Open redirect in Instagram opentap flow.

Open Redirect
Instagram | Web
---
MEDIUM VALID
Description

After logging in to your Instagram account from a web browser you will have the option to "Save Your Login Info" , this endpoint [ https://www.instagram.com/accounts/onetap/?next=/ ] was exposed to an Open redirect bug in the "next" parameter , this lead to Bypass linkshim protection.

Impact

This flaw can be used in phishing attacks to get users to visit malicious WebSites within the application.




Reproduction Steps

Step
1

Once you logged into your instagram account from a web browser , you will get this URL 
[ https://www.instagram.com/accounts/onetap/?next=/ ].

Step
2

Now we should construct the malicious URL , in the "next" parameter add [ https://:/// ] ( No matter how many / added after https://: ; e.g., https://:/ ) ; After [ https://:/// ] add the malicious website. TEST = ( https://:///www.evilzone.org/ ).

Step
3

Encode TEST as a URL so it will be like this [ https%3A%2F%2F%3A%2F%2F%2Fwww.evilzone.org%2F ] .

Step
4

Add TEST to the "next" parameter.

Result : [ https://www.instagram.com/accounts/onetap/?next=https%3A%2F%2F%3A%2F%2F%2Fwww.evilzone.org%2F

Go to this URL , and by pressing " Not Now ", or " Save Info " it will redirect to the desired site.

It will redirect to https://www.evilzone.org/ .

Videos

Timeline
.
Hassan 22 Feb 2021

Initial Report

.
Facebook 24 Feb 2021

PreTriaged

.
Facebook 24 Feb 2021

Triaged

.
Facebook 31 Mar 2021

Bounty awarded

.
Facebook 20 Apr 2021

Bug fixed

VALID






Show All Images