Skip to main content

Disclose Ad Accounts linked with Instagram Accounts

Description

There exists a GraphQL endpoint in Instagram which allowed me to view Ad account linked to an Instagram Profile.

Impact

A malicious user could've used this bug in order to retrieve Ad account linked to an Instagram Account, which would lead to Identification/De-anonymization.

Proof of concept

  • Send a POST request to [ https://i.instagram.com/api/v1/ads/graphql ] with parameters                                            doc_id=REDACTED&locale=en_US&signed_body=SIGNATURE.&strip_nulls=true&strip_defaults=true&query_params={"query_params":{"access_token":"","id":"userID"}}                                                                                          
  • Upon changing the value of the "id" parameter with a targeted userID the ad account name and id were disclosed.

Timeline

6 November 2021 - Report sent
8 November 2021 - Reply from Security Personnel: Need More Info
11 November 2021 - Triaged
2 December 2021 - Fixed by Meta
2 December 2021 - 1500$ Bounty rewarded by Meta