Description
Instagram has some unique accounts which don't have any strings in their usernames that are created by developers for testing purposes they are normally invisible to platform users hence no one can interact with those accounts visiting these profiles will result in an application crash which means the user will be kicked out of Instagram App so keeping this in mind I thought of escalating this issue to increase the impact which resulted in permanent DoS in user DM's.
Impact
This attack requires zero user interaction and has the potential to literally permanent crash any Instagram user making it zero-click DoS.
This could have let a malicious user Remotely crash any Instagram platform user just by adding them to a malicious group which doesn't need to be accepted and once added the victim can no longer use the Instagram app.
Proof of Concept
- Capture group member adding request and change the targeted userID with a NULL username Instagram account userID.
- Add a victim account to the group that has a NULL username account as a member.
- The victim can no longer use Instagram App.
Timeline
14 December 2021 - Report sent
17 December 2021 - Triaged
20 January 2022 - $1500 Bounty Rewarded By Meta
17 December 2021 - Triaged
20 January 2022 - $1500 Bounty Rewarded By Meta