Home / Info Sec / CSRF flaw in Instagram makes private profile set to public

CSRF flaw in Instagram makes private profile set to public

As part of Facebook’s bug bounty program, an independent security researcher, Christian Lopez Martin tried to search for vulnerabilities in Instagram.

Instagram is an online photo-sharing, video-sharing and social networking service acquired by Facebook last April 2012.

Martin identified a Cross-site reference forgery ( CSRF ) in Instagram where it can be used to make private profiles set to public.

According to the researcher, there is no authenticity token being passed in setting an Instagram profile, public or private.

In the CSRF exploit he made, anyone that would click on “submit” button as provided in his proof of concept, the victims profile will be set to public ( when private. )

    <form action="http://instagram.com/api/v1/accounts/set_public/" method="POST">
      <input type="submit" value="Submit form" />

It was reported by him last August 22, 2013 to Facebook wherein a fix was deployed 15 days later.

On September 16th, 2013, the expert reported a bypass of the initial fix by Facebook/Instagram engineers. Few months later, Martin found another way to bypass the second fix.

Finally, on February 4th, 2014, Facebook confirmed that the CSRF flaw was properly patched.

Technical details available here.

About Clifford Trigo

I am Clifford Trigo a proud Boholano / Pinoy / Filipino Web App Security Researcher. Day by day, I'm learning new things :)) Visit my Hackerone Profile, currently at top 2 overall :D