Majd Dhainy

Published On: 24 Oct 2019

Crash App Notification Section and Livestream

DoS
Instagram | Android
---
MEDIUM VALID

The bug was found initially in the ask me a question section of the app, but later on we found out that any livestream on instagram automatically has an ask me a question section, extending the impact of the bug to the livestream service too

Description

Since no back-end checks where in place, an attacker could crash a victim's app by sending a very large request as a question.

Impact

-Crash victim's app when opening notifications section -Crash victim's app while live streaming -Crash victim's app when checking their stories questionnaire section




Reproduction Steps

Step
1

Find a user thats live streaming and send a question to their live stream

Step
2

Capture the request and you will find a parameter:

&text=your_question

change the your_question part to a very large text

now forward the request

Other Impact

The same attack could be done on a regular story with a questionnaire in it. That way the attack will crash the victim's app when opening the questions of this story, and the notifications section, as the question appears in the notifications section

Videos

Timeline
.
Majd 19 May 2019

Initial Report

.
Majd 20 May 2019

Additional Information

.
Facebook 23 May 2019

Problems During Reproduction

.
Majd 23 May 2019

Additional Information and Reproduction Steps

.
Majd 16 Jun 2019

Additional Information

.
Facebook 08 Aug 2019

Triaged

.
Facebook 06 Sep 2019

Fix Commited

.
Majd 07 Sep 2019

Fix Confirmation

.
Facebook 21 Oct 2019

Bounty Awarded

VALID






Show All Images