Security researcher Neeraj Sharma (Neeraj Sharma) said
about the vulnerability he discovered on Instagram, which allowed attackers to change the reels icon (Reels are short videos up to 60 seconds, which, unlike stories, do not disappear after 24 hours). Meta managed to fix the vulnerability before it was massively exploited by attackers.
As Sharma explained, the problem affected the function of editing the Instagram-reel icons. Having carefully studied this function when changing the icon of his own reel, the researcher intercepted HTTP requests to detect a vulnerable endpoint.
More precisely, the vulnerability allowed users to edit the parameters clips_media_id (reel ID) and upload_id (ID of the photo that the user wants to set as an icon). Sharma managed to edit these parameters on two of her Instagram pages and change the icons of the reels. According to him, with the help of media_id, attackers could easily change the icons of any user’s reels.
“The vulnerability allowed an attacker/cam to change the icon of any reel on Instagram. To carry out the attack, only the Media ID of the reel of the attacked user was required. From the point of view of the triad of security (confidentiality, integrity and accessibility – ed.), integrity was violated, and accessibility for the victim was completely ignored by the actions of the attacker,” the researcher said.
After discovering the vulnerability, Sharma notified Meta, which owns Instagram, about it as part of the bug bounty security researchers’ reward program. A few days later, the tech giant got acquainted with Sharma’s report and began work on the correction.
As a result, Meta fixed the vulnerability and paid the researcher a reward of $ 45 thousand. In addition, he additionally received $4.5 thousand as a bonus.
Considering the chaos among Instagram users
that the exploitation of this vulnerability in real attacks could cause, the fix came out very
timely. Users are advised to update their Instagram app to the latest
available version to protect themselves from possible consequences.