Teenager Awarded $25K Bounty For Finding Stored XSS In Instagram Spark AR

A teenage researcher was awarded $25,000 as bounty for discovering a flaw affecting Instagram. Specifically, he found a stored XSS vulnerability affecting the Instagram Spark AR Studio.

Stored XSS In Instagram Spark AR

Sharing the details in a blog post, the researcher, Andres Alonso, disclosed a stored XSS bug in Instagram Spark AR. The vulnerability, initially an open redirect, could lead to stored XSS.

In brief, Alonso found the bug while working with the Spark AR filter creator to make filters for his app. He noticed that changing the name of the preview file, after generating the filter link, changes the test notification.

As stated in his post,

When I generate the filter link the first request sent sets the name, file type, and size of the filter .arexport file.
Normally the default name of the preview is preview.arexport and can not be changed by the Spark AR app…
When I changed the name the filter test notification changed too.

This behavior prompted him to look for an XSS.

Though, he initially failed in doing so because of the limited meta tag.

Yet, he could use double quotes. So, he went to create an open redirect by encoding the URL in HTML to bypass the filter.

I can only close the double quotes, but I tried to make an open redirect, to make this I encoded the URL in HTML encoding to bypass the filter.
http://www.evilzone.com
and put in this payload to redirect to the URL
0;url=http://www.evilzone.com"HTTP-EQUIV="refresh"any=".arexport

That’s where he succeeded in creating the redirect.

Facebook Awarded $25,000 Bounty

After discovering the vulnerability, Alonso reached out to Facebook to report the matter.

While he couldn’t clearly report an XSS then, Facebook, while acknowledging the bug, confirmed that it could lead to XSS on Instagram.

He could then observe that modifying the charset by injecting modified UTF-7 charset could lead to the bug.

Hence, for his discovery of this Instagram bug, Facebook rewarded him with $25,000 as bounty.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients