In this blog we will be continuing our talk about Business logic bugs and how dangerous and simple they can become, I will be showing you one of the simplest yet the most dangerous bugs I have found in the gigantic photo sharing app Instagram but first lets get an overview of some concepts and general knowledge.
What is Instagram? ~Wikipedia
Instagram is a mobile, desktop, and Internet-based photo-sharing application and service that allows users to share pictures and videos either publicly or privately. Instagram lets registered users upload photos or videos to the service. Users can apply various digital filters to their images, and add locations. They can add hashtags to their posts, linking the photos up to other content on Instagram featuring the same subject or overall topic. Instagram was acquired by Facebook in April 2012 for approximately US$1 billion in cash and stock.Soon enough after being acquired Instagram joined Facebook bug bounty program.
General features of social media applications:
A social media app generally has features such as follow, unfollow block, unblock, Private account, public account, inviting friends, connecting to other social media apps and adding applications to your account, etc… Those features must be tested thoroughly for bugs such as XSS, IDOR, CSRF, etc.. but most importantly these features must work as intended or else the app will be vulnerable to business logic attacks.
Background of bug hunting in Instagram:
I was searching around the “Block feature” and trying to understand what can I do after blocking somebody and the level of interaction i can have with somebody I have blocked.I figured out after blocking somebody I can mention them in any post and they won’t get a notification, I can tag them in pics and they won’t also get notifications. Those 2 trivial bugs were reported and both were refused as having low risk to users.
Determined to get in Facebook Hall of fame I continued my research to the successful end.
Why did the bug existed:
Following the rejection of those 2 bugs (Mentions and Tags) I came out with the nastiest of them all 😈 I can follow somebody after blocking them without unblocking them that is to say I am following you but blocking you simultaneously at the same time! So the bug existed because the app has broken logic where I could follow and block somebody at the same time.
This could be exploited from the app without any tools just block somebody then follow them. It is really that simple!
What is the impact of this bug?
You don’t get notified of that follow I made after blocking you.
I don’t appear in the followers list although the number of followers will increase by one.
I see your photos, activities and everything related BUT you can’t block me, you don’t know I exist in your followers list in the first place 😀
Facebook fixed this bug and awarded a generous bounty reflecting the simplicity of exploitation as well as the high impact.
I hear some people are saying “Easy Money!” No it’s not, trust me, those kind of logical bugs need a well and full study of how the application in front of you operates (which takes time, and time is money for sure).