Description
This bug could allow a malicious user to redirect a user from www.instagram.com to any desired website. The endpoint https://www.instagram.com/accounts/convert_to_professional_account/ doesn’t check if the redirect_uri supplied is Facebook owned which leave it vulnerable. One thing to note is that for this attack to work without user interaction, the Instagram account should be a business account.
Reproduction Steps
Setup
===
Login to a business Instagram account in mobile or web.
Steps
==
1) Visit https://www.instagram.com/accounts/convert_to_professional_account/?redirect_uri=https%3A%2F%2Fevilzone.org
You should be redirected to https://evilzone.org/
Impact
This could be used to redirect Instagram users to malicious websites from inside Instagram website or mobile application.
Timeline
Nov 14, 2020— Report Sent
Nov 16, 2020— Acknowledged by Facebook
Jan 15, 2021— Fixed by Facebook
Jan 15, 2021 — $500 bounty awarded by Facebook (including bonus).