Majd Dhainy

Published On: 20 Aug 2019

Privilege Escalation in Instagram Chat Groups

IDOR
Instagram | Android
---
LOW VALID

Privilege Escalation in Instagram Chat Groups to reject a user's join request to the Instagram Chat Group without having to be the admin.

Description

By forging a request similar to a request rejection request, a non privileged user can send the fake request and get a valid response, and in turn reject anyone wanting to join the group chat without having to be an administrator of that chat room.

Impact

This could have let non-admin Instagram chat participants reject pending join requests to the Instagram chat Rooms




Reproduction Steps

Step
1

ADMIN creates a new chat group with "Approval required to join" enabled and adds ATTACKER as a regular non-privileged user

Step
2

Another user in the chat group invites VICTIM to the chat, but the invitation needs to first be accepted by an admin so the request is pending.

Step
3

ATTACKER captures the Leave chat request and changes:

"/api/v1/direct_v2/threads/5555/leave/"

to

"/api/v1/direct_v2/threads/5555/deny_participant_requests/" .

Step
4

Attacker Adds the parameter [user_ids] to the body:
&user_ids=%5B4%5D

note: %5B and %5D are [ ] but url encoded
where 4 is the id of VICTIM

Step
5

ATTACKER sends the request and VICTIM is not allowed to join the chat

Videos

Timeline
.
Majd 07 Jul 2019

Initial Report

.
Majd 19 Jul 2019

Asking for updates on the issue

.
Facebook 24 Jul 2019

Issue Acknowledgment

.
Facebook 14 Aug 2019

Report marked as informative

.
Majd 16 Aug 2019

Further Explanation of possible security impact

.
Facebook 20 Aug 2019

Issue Confirmation

VALID






Show All Images