Published On: 09 Apr 2020
Bypass the 'Allow Message Replies' setting in Instagram
Privacy/Authentication
Instagram | Android
---
UNDEFINED VALIDIt's possible to bypass the "Allow Message Replies" setting in IG. You can grab the story media id and create a comment on it, even if it does not have a comment sticker.
Description
By inserting a story id into a view post request, the story is loaded as a post, and can be interacted with and commented on, with notifications reaching the user that uploaded the story view post request is on thais endpoint : GET /api/v1/media/[POST_ID]/info/ HTTP/1.1
Impact
if we comment on this post we can see that the victim gets a notification that says [Attacker commented on your story ] victim will be shocked because he already disabled replies on his story & there is no feature for commenting on a user's story!
Reproduction Steps
Step
1
go to victim's account and react on his story [ OR report the story ]
Step
2
intercept the above request and search for the media_id of victim's story media_id = XXXXXXXXXX
Step
3
share any of your posts to your story
Step
4
go to your story and click on view post
Step
5
intercept the above request
GET /api/v1/media/[post_ID]/info/ HTTP/1.1
Step
6
replace the id of the post_Id with the media_id of victim's story
GET /api/v1/media/XXXXXXXXXX/info/ HTTP/1.1
Step
7
now we can view the victim's story as if it was a regular post. (You can like and comment on it)
Videos
