Description
There exists an Instagram API Endpoint which allowed me to disclose Internal path of the Instagram server due to an unhandled System exception.
Impact
This bug could allow a malicious user to expose the internal path of Instagram server.Proof of Concept
POST
i.instagram.com/api/v1/media/configure_to_clips/
variables={"text":"[REDACTED]"}
Timeline
01 May 2024 - Report sent
14 June 2024 - Triaged
19 June 2024 - Bounty rewarded by Meta
26 July 2024 - Fixed
07 Sep 2024 - Incomplete Fix reported
08 Oct 2024 - Triaged
10 Oct 2024 - Bounty Rewarded by meta
14 June 2024 - Triaged
19 June 2024 - Bounty rewarded by Meta
26 July 2024 - Fixed
07 Sep 2024 - Incomplete Fix reported
08 Oct 2024 - Triaged
10 Oct 2024 - Bounty Rewarded by meta