Instagram vulnerability description:
In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.
Instagram’s Android app has implemented a deeplink “instagram://turn_off_message_requests” that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.
Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like “FB_APP_COMMUNICATION” and Attacker could have able to disabled all receiving messages of Instagram user.
Instagram vulnerability
Repro steps :
Instagram android app version: 258.1.0.26.100
1. Goto Instagram for Android > Messages > Tools > Message controls
2. Set “deliver requests to” to “message requests”
3. Close Instagram app
4. Launch “instagram://turn_off_message_requests” deeplink (without quotes)
5. Open Instagram app and goto message controls, you can see all option become “Don’t receive”.
POC:
Timeline:
29/10/2022: Report submitted.
02/11/2022: Triaged
09/11/2022: Bounty
20/12/2022: Fixed
Follow me on Twitter :
https://twitter.com/RahulKankrale