HomeBug BountyInstagram Live DOS: Reaction Exploit Kicks Users Out, $5000 Bounty

Instagram Live DOS: Reaction Exploit Kicks Users Out, $5000 Bounty

Instagram Live DOS – A skilled bug hunter has uncovered a significant vulnerability in Instagram’s Live feature, earning a $5,000 bounty from Facebook’s bug bounty program. The security researcher, known as rootbakar, discovered a flaw that could disrupt live streams for Android users, posting his findings on September 27, 2022.

The bug, which affects all Android devices regardless of brand or model, allows an attacker to force both the live streamer and viewers to exit the live session abruptly. Interestingly, iOS users were not impacted by this vulnerability.


Root Cause and Exploitation

Rootbakar detailed his findings in a comprehensive write-up, explaining the step-by-step process of identifying and exploiting the bug. The vulnerability lies in the reaction feature of Instagram Live, where users can send emoji reactions during a stream.

By intercepting the network traffic using Burp Suite, the researcher identified a vulnerable endpoint: /api/v1/live/{user_live_id}/react/. This endpoint contained a parameter called “reaction_unicode” that could be manipulated.


Exploiting the Vulnerability

The bug hunter then crafted a specially formatted string to exploit the vulnerability. By sending an extremely long string of nested directory paths as the reaction_unicode parameter, the attacker could trigger an error that forcibly ended the live stream for all participants.

Impact and Implications

When someone exploits this bug, it kicks both the streamer and viewers out of the live session and displays an error message. Attackers could potentially use this disruption maliciously to interrupt important live broadcasts or events.


Response and Resolution

Facebook’s security team promptly acknowledged the bug report and awarded rootbakar a $5,000 bounty for responsibly disclosing the vulnerability. The process started with rootbakar submitting the report in June 2022. By July 2022, Facebook had triaged the issue, fixed the bug, and rewarded the researcher. This collaborative approach between ethical hackers and tech companies continues to play a crucial role in improving online security for millions of users worldwide.


Lessons Learned

The Instagram Live DOS discovery highlights the importance of thorough security testing, even for widely used features on popular platforms. Bug bounty programs also help identify and address potential vulnerabilities before malicious actors can exploit them.

As social media platforms evolve and introduce new features, the need for ongoing security assessments remains critical. The Instagram Live bug serves as a reminder that even seemingly simple functions can harbor unexpected vulnerabilities, emphasizing the importance of continuous security testing and improvement.

–Meta bug bounty program

Link to read full write up:

Save the PDF here

A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

20 − 18 =

Most Popular


- Advertisement -