Description
Access tokens returned when an Instagram user authorize a third-party Instagram application which was created to use the Instagram Basic Display API, could be used to access graph.instagram.com/graphql endpoint which allows the owner of the application to make Query/Mutations and bypass the API permissions given or in some scenarios full takeover the account.
Reproduction Steps
According to the documentation of the Instagram Basic Display API, any user could create an Instagram application that would request from the user permissions like user, media . After the creation, the application should be approved by Facebook. If the application review was successful, the application owner could then redirect Instagram users from his website to Instagram authorization page and if the user chose to use the application, he should receive an Instagram access token
The access token generated and returned to the website owner is supposed to only have access to a limited set of APIs endpoints to query some user information or media as documented by Facebook . However, it seems that due to some recent changes to the API, the access tokens generated where able to access more Graph APIs like graph.instagram.com/graphql endpoint and also could be used in some Facebook.com queries/mutations that directly lead to the possibility to takeover the Instagram account or Page/Business accounts linked to it.
Finally, to explain how this could be abused :
– An attacker could create a normal application and start to embed the Instagram Application authorization request in his website. Since the authorization page only shows that the application would only have access to limited permissions, the victim would accept the usage and though the attacker can takeover his account.
– Since the API allows Long-Lived Access Tokens, a website owner that uses Instagram for authentication or offer a service for Instagram insights and analytics, would have already a big Instagram user base that he could target using this to gain information or takeover their accounts. Of course, this won’t require victim interaction since they already authorized the application
Proof of concept
- Victim gets redirected to https://www.instagram.com/oauth/authorize?app_id=ATTACKER_APP_ID&response_type=code&redirect_uri=https://attacker.website/&scope=user_profile
- Victim authorize the third-party Instagram application and accept to give basic permissions like user_profile
- Attacker receives the access_token and for example try to make this GraphQL Mutation which would disconnect the Instagram account from Facebook pages ( This example was given because the Account takeover approach is more complicated and also still could be helpful to me in future bugs 🙂 )
https://graph.instagram.com/graphql?access_token=IG_THIRD_PARTY_TOKEN&doc_id=3131323080272171&method=POST
Impact
Instagram third-party application access tokens could be used to perform unauthorized mutations that could lead to Instagram account takeover or Facebook business and page takeover.
This bug was fixed and no evidence of abuse was found according to Facebook.
Timeline
Mar 15, 2021— Report Sent
Mar 18, 2021— Acknowledged by Facebook
Apr 14, 2021— Fixed by Facebook
May 4, 2021 — $18K bounty awarded by Facebook ( including bonus )