Instagram Spark AR Studio Vulnerability Discovered by 14-yr Old Researcher – Awarded $25,000

Andres Alonso has netted a rather nice some of money, $25,000 to be exact, for stumbling upon a critical XSS Vulnerability in Instagram’s Spark AR Studio.

This 14-yr-old Ethical hacker first reported the the issue to Facebook’s security team as an open redirect flaw with how this tool creates Augmented Reality Filters, which was later escalated to a XSS Vulnerability.

Spark AR Studio can be used by Instagram users to create “Augmented Reality” (AR) affects for both Videos and photos taken with your Iphone or other smartphones.

Accidental Discovery

Alonso discussed how he accidentally stumbled upon this Critical Stored XSS while creating a Instagram integrated app to create some filters for mobile.

In his discovery process, he was researching how to “generate the filter links to test the filter on the smartphone”, he says.

Once he exported the preview file (preview.arexport), he went ahead and tried to change the name of the filter, which in turn change the filter notification.

With that in mind, he attempted his XSS using a malicious filter in place of the original text in the meta field on the Desktop app, which he noticed had his preview file url in the meta content section of the html, as seen below:

After initially failing to his first XSS attempt using a malicious filter, he decided to try inserting a malicious redirect using HTML encoding to bypass the filters and then injecting the payload for the meta refresh along with the malicious url:

If your familiar with how html META values work, you’ll understand that he was able to inject a http-equiv with refresh as the value and using the content field to specify his malicious redirect domain.

Alonso came to the conclusion that its possible to achieve XSS by simply injecting the charset attributes with UTF-7 Encoded characters to encode the payloads.

The open redirect ended up working for the Alonso and after reporting his findings to Facebook security team, he was handsomely greeted with this message:


The report from Facebook mentions that only was he being awarded $25,000 USD for his findings, but the issue that Alonso reported was an open redirect that could be escalated to a XSS on – further saying that has yet to be abused in the wild!

The Facebook, who owns and runs Instagram, was pleasantly surprised and we personally feel that $25k is an awesome some for anyone, regardless of age!

Facebook Bug Bounty

This payout is one of many that Facebook has paid out for using their newly started Bug Bounty program ever since they’ve added the Spark AR and Hermes Javascript engine to its program.

The max reward for any bug bounty is $40,000 and is avaiable for anyone who can successfully prove RCE (Remote code execution) whilst running a Spark AR effect either through Spark AR platform or Hermes JavaScript Virtual machine!

About the author


Jay David Paul

Jay David Paul has been in the IT & Cyber Security Industry for over 16 yrs, with Experience in Linux, Cisco and Windows Server Environments. He's great with communication and getting into security issues that matter.

Jay David Paul has an Experience in configuring, troubleshooting and optimizing Linux environments & Web Servers. He loves traveling, scenic tours and exploring the outdoors.

What Topics Interest You?