Open redirect in Instagram.com

Description

This bug could allow a malicious user to redirect a user from www.instagram.com to any desired website. The endpoint https://www.instagram.com/accounts/convert_to_professional_account/ doesn’t check if the redirect_uri supplied is Facebook owned which leave it vulnerable. One thing to note is that for this attack to work without user interaction, the Instagram account should be a business account.

Reproduction Steps

Setup
===
Login to a business Instagram account in mobile or web.

Steps
==
1) Visit https://www.instagram.com/accounts/convert_to_professional_account/?redirect_uri=https%3A%2F%2Fevilzone.org

You should be redirected to https://evilzone.org/

Impact

This could be used to redirect Instagram users to malicious websites from inside Instagram website or mobile application.

Timeline

Nov 14, 2020— Report Sent 
Nov 16, 2020—  Acknowledged by Facebook
Jan 15, 2021— Fixed by Facebook
Jan 15, 2021 — $500 bounty awarded by Facebook (including bonus).