Published On: 10 Apr 2020
Single image could be referenced in multiple messages
Privacy/Authentication
Instagram | Web
---
UNDEFINED INFORMATIVEA single image could sent in multiple messages in multiple different chats.
Description
A single image could sent in multiple messages in multiple different chats. Suppose that the attacker sends an inappropriate image to a group The group admin removes the attacker as he sent in appropriate content
Impact
(Now the attacker can do nothing inside this group ) But using this bug the attacker unsends the image and it is removed from the group other members inside the group think the admin removed the attacker for no reason !
Reproduction Steps
Step
1
Send photo [A] to the group (ID : 1)
Step
2
Intercept the request
~> In the body of the request on this endpoint "POST/direct_v2/web/threads/broadcast/configure_photo/ " :
*suppose upload_id of [A] is 111
Step
3
Save the parameter => [upload_id] of the photo [A] .
Step
4
Send another photo [B] to another group (ID : 2)
Step
5
Intercept the request
~> In the body of the request on this endpoint "POST/direct_v2/web/threads/broadcast/configure_photo/ " :
*suppose upload_id of B is 222
Step
6
Change (upload_id) of photo [B] to the one of photo [A] {replace 222 by 111}
Step
7
Now if you refresh you can see that the same photo (photo [A]) is loaded in the 2 chats
After the user attacker is removed from/leaves the group (ID : 1)
Step
8
Attacker is no longer able to unsend the image from the group (ID : 1) because he/she is outside the group .
Step
9
Instead, he/she unsends the image from the chat with the other group (ID:2)
Step
10
Image is unsent from the 2 groups ( ID:1 & ID:2) [ Because the same image is referenced in multiple messages same "upload_id" ]
Also works on other media (audio,video)
After some testing on the Instagram [android application] it became apparent that this problem also affects audio clips and videos and is not only limited to photos, this further increases the impact of the attack as it could be used on photos and voice notes too. The endpoints are: same reproduction steps but different endpoints : =============================== Voice Endpoint : POST /api/v1/direct_v2/threads/broadcast/share_voice/ HTTP/1.1 Parameter : upload_id= =============== Video Endpoint : POST /api/v1/media/configure_to_story/?video=1 HTTP/1.1 Parameter : "upload_id":""
