Privilege Escalation in Instagram Chat Groups to reject a user's join request to the Instagram Chat Group without having to be the admin.
By forging a request similar to a request rejection request, a non privileged user can send the fake request and get a valid response, and in turn reject anyone wanting to join the group chat without having to be an administrator of that chat room.
This could have let non-admin Instagram chat participants reject pending join requests to the Instagram chat Rooms
ADMIN creates a new chat group with "Approval required to join" enabled and adds ATTACKER as a regular non-privileged user
Another user in the chat group invites VICTIM to the chat, but the invitation needs to first be accepted by an admin so the request is pending.
ATTACKER captures the Leave chat request and changes:
Attacker Adds the parameter [user_ids] to the body:
note: %5B and %5D are [ ] but url encoded
where 4 is the id of VICTIM
ATTACKER sends the request and VICTIM is not allowed to join the chat