Researcher Wins Bounty for Finding Instagram App Crash Bug

Security researchers have been quite active in the past few months on discovering and reporting bugs found on Facebook-owned Instagram. In fact, a Chennai based techie won a bug bounty from Instagram twice for reporting bugs. Earlier this week, some other white-hat hacker has disclosed a bug in the photo-sharing platform that could accept remotely crashed Instagram app of any Android user.

The security researcher who goes by the name "valbrux", had initially discovered that Instagram uses a "simple incremental PKID in its database to define user accounts". On further digging, he was able to find that one of the first accounts (PKID 3 or iv) created on Instagram belonged to Mike Krieger, i of the co-founders of Instagram.

However, the first and 2nd Instagram accounts begetting PKIDs 1 and 2 seemed a fleck suspicious to him. He was able to find that the username of these first two accounts contained an empty string even after being associated with an ID.

The researcher saw a gamble of vulnerability with these "ghost users". He created a conversation grouping on Instagram with the other two accounts on a Samsung Galaxy S8+ running Android viii.0 Oreo and found the app crashing unless he/she is removed from the group.

"This was probably caused by a JSON parsing exception of the empty string in the ghost user's username.", says the researcher.

If this exploit had reached the wrong easily, it would have given him/her the power to remotely crash any Instagram Android user by simply adding the victim to a common group where the ghost user is a fellow member. Moreover, the researcher notes that no request had to exist accepted by your Instagram followers if they are calculation yous to a group. Otherwise, accepting a group join request is mandatory.

Take a look at the exploit in action below.

The security researcher contacted Facebook Whitehat Team regarding the bug back in April post-obit which Facebook requested more information regarding the attack. The bug got best-selling, fixed, and the bounty was awarded final week which led him to disembalm the bug safely without affecting the platform.