Security Researcher Wins Bug Bounty for Finding Instagram App Crash Bug


Security researchers have been quite active in the past few months on discovering and reporting bugs found on Facebook-owned Instagram. In fact, a Chennai based techie won a bug bounty from Instagram twice for reporting bugs. Earlier this week, another white-hat hacker has disclosed a bug in the photo-sharing platform that could have remotely crashed Instagram app of any Android user.

The security researcher who goes by the name “valbrux”, had initially discovered that Instagram uses a “simple incremental PKID in its database to define user accounts”. On further digging, he was able to find that one of the first accounts (PKID 3 or 4) created on Instagram belonged to Mike Krieger, one of the co-founders of Instagram.

However, the first and second Instagram accounts bearing PKIDs 1 and 2 seemed a bit suspicious to him. He was able to discover that the username of these first two accounts contained an empty string even after being associated with an ID.

The researcher saw a chance of vulnerability with these “ghost users”. He created a chat group on Instagram with the other two accounts on a Samsung Galaxy S8+ running Android 8.0 Oreo and found the app crashing unless he/she is removed from the group.

“This was probably caused by a JSON parsing exception of the empty string in the ghost user’s username.”, says the researcher.

If this exploit had reached the wrong hands, it would have given him/her the power to remotely crash any Instagram Android user by simply adding the victim to a common group where the ghost user is a member. Moreover, the researcher notes that no request had to be accepted by your Instagram followers if they are adding you to a group. Otherwise, accepting a group join request is mandatory.

Take a look at the exploit in action below.

The security researcher contacted Facebook Whitehat Team regarding the bug back in April following which Facebook requested more information regarding the attack. The bug got acknowledged, fixed, and the bounty was awarded last week which led him to disclose the bug safely without affecting the platform.

Leave a Reply