Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Instagram allows for the embedding of posts. When embedding a post, it's simply a popup with embedded HTML that makes a request to https://www.instagram.com/api/v1/oembed/. This will get the post information, author, title and several other things. If this is provided from a private account, then a 403 is sent back. If the account of the post is blocked and is private, then the response will be 404 not found.

This is a perfect case for XS-leaks! Within the iFrame, if an error occurs, then the account was blocked and is part of a subset of users. This creates a de-anonymization primitive for users of a website using Instagram, which is not great. So, a medium severity bug.

As any good bug bounty hunter does, they were gathering evidence and testing things out. While making this call with Burp repeater, Burp and Chrome were doing different things. What's going on? It turns out that the user-agent header was being processed. After fuzzing the header, they noticed that the code being ran on mobile was different than in the browser.

So, by blocking the user and making a request to the private account, the embedded endpoint was returning data! According to Meta, the oEmbed endpoint had an error case for mobile agents. This error was normally triggered by region blocking but the developers wanted all users to be able to access the items even when this error occurred. To fix this, a superuser was used to make the request instead.

By blocking the user, the generic error handler was possible to hit as well! This allowed for us to access the post, even though we'd been rejected from it. Overall, a super unique vulnerability that required a lot of puzzle pieces to make happen. To me, the big takeaway is that unexpected functionality should always be explored deeper.