Published On: 26 Apr 2020
Tag cannot be removed after blocking tagged user
Privacy/Authentication
Instagram | Android
---
LOW VALIDDescription
This is not Security Bug as of I think more of a feature bug. In Instagram, we can tag another user and other User can remove the tag if he doesn't want to tag in that post. So I Found that After tagging someone and block that user tag will be there in post and Victim cannot remove Tag because attacker has blocked them already.
Impact
The attacker can Tag victim and share unnecessary content which Victim may not want to disclose with his or her username And there is no way to remove that tag that he or she is tagged
Reproduction Steps
Step
1
User A[The Attacker] logs in and posts a photo to User A's profile, tagging User B[The Victim]
Step
2
User A then blocks User B
Step
3
User C can then view User A's profile, and see the post tagging User B.
Step
4
User B cannot see the post they are tagged in and has no way to remove the tag.
Solution
Facebook Fixed this issue by self-removing the tag on blocking the tagged User.
