Description
There exists a GraphQL endpoint in Instagram which allowed me to view Ad account linked to an Instagram Profile.
Impact
A malicious user could've used this bug in order to retrieve Ad account linked to an Instagram Account, which would lead to Identification/De-anonymization.
Proof of concept
- Send a POST request to [ https://i.instagram.com/api/v1/ads/graphql ] with parameters doc_id=REDACTED&locale=en_US&signed_body=SIGNATURE.&strip_nulls=true&strip_defaults=true&query_params={"query_params":{"access_token":"","id":"userID"}}
- Upon changing the value of the "id" parameter with a targeted userID the ad account name and id were disclosed.
Timeline
6 November 2021 - Report sent
8 November 2021 - Reply from Security Personnel: Need More Info
11 November 2021 - Triaged
2 December 2021 - Fixed by Meta
2 December 2021 - 1500$ Bounty rewarded by Meta