A security researcher has recently disclosed the details of a critical security bug in Instagram that could allow an attacker to change reel thumbnails. Meta patched the vulnerability before it was widely exploited.
Instagram Bug Allowed Meddling With Reel Thumbnails
Elaborating on the Instagram vulnerability in a recent post, the researcher Neeraj Sharma explained how he could change the reel thumbnails of target Instagram users.
As explained, the vulnerability existed in the edit thumbnail functionality for Instagram reels. Scrutinizing this feature when changing his own reel thumbnail, the researcher intercepted the HTTP requests to discover the vulnerable endpoint.
Specifically, the bug allowed editing of the
clips_media_id (the reel ID) and
upload_id (ID of the photo the user wants to insert on a thumbnail) parameters to the users. Hence, Sharma could edit the parameters on two of his accounts to replace the photo thumbnails. He observed that an adversary could easily modify the reel thumbnails of any user by using its media_id. As stated in his post,
This bug allowed malicious actor/s to change the thumbnail of any reels on Instagram. To perform this attack, only the Media ID of the target user’s reel was required.
Within the Triad of C-I-A, Integrity was violated and the Accessibility of the victim was totally disregarded by the actions of the attacker.
The researcher has shared the exploit PoC in the following video.
Meta Patched The Bug
Following this discovery, the researcher reported the matter to Meta via their bug bounty program. Within a few days, the tech giant acknowledged the bug report and started working on a fix.
Consequently, Meta patched the vulnerability while rewarding the researcher with a $45000 bounty. The researcher also won a bonus of $4500, earning a total of $49500 against this bug report.
While exploiting this vulnerability in the wild could seriously impact Instagram users, the tech giant patched the flaw in time. Therefore, Instagram users now don’t have to worry about their accounts’ security. But they must ensure running the latest Instagram app versions on their devices to ensure having received all the patches.