Instagram Live DOS – A skilled bug hunter has uncovered a significant vulnerability in Instagram’s Live feature, earning a $5,000 bounty from Facebook’s bug bounty program. The security researcher, known as rootbakar, discovered a flaw that could disrupt live streams for Android users, posting his findings on September 27, 2022.
The bug, which affects all Android devices regardless of brand or model, allows an attacker to force both the live streamer and viewers to exit the live session abruptly. Interestingly, iOS users were not impacted by this vulnerability.
Root Cause and Exploitation
Rootbakar detailed his findings in a comprehensive write-up, explaining the step-by-step process of identifying and exploiting the bug. The vulnerability lies in the reaction feature of Instagram Live, where users can send emoji reactions during a stream.
By intercepting the network traffic using Burp Suite, the researcher identified a vulnerable endpoint: /api/v1/live/{user_live_id}/react/. This endpoint contained a parameter called “reaction_unicode” that could be manipulated.
Exploiting the Vulnerability
The bug hunter then crafted a specially formatted string to exploit the vulnerability. By sending an extremely long string of nested directory paths as the reaction_unicode parameter, the attacker could trigger an error that forcibly ended the live stream for all participants.
Impact and Implications
When someone exploits this bug, it kicks both the streamer and viewers out of the live session and displays an error message. Attackers could potentially use this disruption maliciously to interrupt important live broadcasts or events.
Response and Resolution
Facebook’s security team promptly acknowledged the bug report and awarded rootbakar a $5,000 bounty for responsibly disclosing the vulnerability. The process started with rootbakar submitting the report in June 2022. By July 2022, Facebook had triaged the issue, fixed the bug, and rewarded the researcher. This collaborative approach between ethical hackers and tech companies continues to play a crucial role in improving online security for millions of users worldwide.
Lessons Learned
The Instagram Live DOS discovery highlights the importance of thorough security testing, even for widely used features on popular platforms. Bug bounty programs also help identify and address potential vulnerabilities before malicious actors can exploit them.
As social media platforms evolve and introduce new features, the need for ongoing security assessments remains critical. The Instagram Live bug serves as a reminder that even seemingly simple functions can harbor unexpected vulnerabilities, emphasizing the importance of continuous security testing and improvement.
Link to read full write up: https://progress28.com/2022/09/27/facebook-bug-bounty-h4ck-instagram-live-dan-mendapatkan-5-000-dollar/
Save the PDF here