Andres Alonso has netted a rather nice some of money, $25,000 to be exact, for stumbling upon a critical XSS Vulnerability in Instagram’s Spark AR Studio.
This 14-yr-old Ethical hacker first reported the the issue to Facebook’s security team as an open redirect flaw with how this tool creates Augmented Reality Filters, which was later escalated to a XSS Vulnerability.
Spark AR Studio can be used by Instagram users to create “Augmented Reality” (AR) affects for both Videos and photos taken with your Iphone or other smartphones.
Alonso discussed how he accidentally stumbled upon this Critical Stored XSS while creating a Instagram integrated app to create some filters for mobile.
In his discovery process, he was researching how to “generate the filter links to test the filter on the smartphone”, he says.
Once he exported the preview file (preview.arexport), he went ahead and tried to change the name of the filter, which in turn change the filter notification.
With that in mind, he attempted his XSS using a malicious filter in place of the original text in the meta field on the Desktop app, which he noticed had his preview file url in the meta content section of the html, as seen below:
After initially failing to his first XSS attempt using a malicious filter, he decided to try inserting a malicious redirect using HTML encoding to bypass the filters and then injecting the payload for the meta refresh along with the malicious url:
If your familiar with how html META values work, you’ll understand that he was able to inject a http-equiv with refresh as the value and using the content field to specify his malicious redirect domain.
Alonso came to the conclusion that its possible to achieve XSS by simply injecting the charset attributes with UTF-7 Encoded characters to encode the payloads.
The open redirect ended up working for the Alonso and after reporting his findings to Facebook security team, he was handsomely greeted with this message:
The report from Facebook mentions that only was he being awarded $25,000 USD for his findings, but the issue that Alonso reported was an open redirect that could be escalated to a XSS on Instagram.com – further saying that has yet to be abused in the wild!
The Facebook, who owns and runs Instagram, was pleasantly surprised and we personally feel that $25k is an awesome some for anyone, regardless of age!
Facebook Bug Bounty