Description
This bug could have allowed an attacker to raise a PHP exception after manipulating with some parameters in the request which led to the disclosure of internal system paths of the server i.instagram.com and names of some internal methods/classes.
Demonstration
- After enabling users CAs, we launch a proxy which enables us to intercept requests made from the Instagram App.
- We intercept any POST request to the server https://i.instagral.com/.
- We change the path to https://i.instagram.com/api/v1/ads/graphql/ and add to the request body this parameter “&doc_id=197633352–“.
- After this, a PHP exception should be raised which exposes the described information above.
Please notice that this specific endpoint had some serious problems concerning exception handling and many exceptions could been raised to expose other methods/files if we provide a doc_id/query_id of a Query/Mutation that does different action from the other. This happened because some doc_ids returned details about objects that didn’t exist (like the viewer/actor object)”
Timeline
Mar 27, 2019— Report Sent
Mar 28, 2019 — Acknowledged by Facebook
Jun 18, 2019 — Fixed by Facebook
Jul 18, 2019 — Bounty Awarded by Facebook