Writeups: Facebook Whitehat program(2021): Instagram Live setting bug

Writeups: Facebook Whitehat program(2021): Instagram Live setting bug
2021-05-20 22:58:57 Author: infosecwriteups.com(查看原文) 阅读量:141 收藏

Instagram live’s archived setting turns on automatically after IG user ends live video even if IG user turned off archive setting previously

Instagram app turns on Live archive setting when a user ends IG live & starts live again.

It is a problem because archived live can be seen in creator studio’s calendar by other FB page user.

In creator studio’s calendar, other users who can access to IG account(i.e. page advertiser) can see IG public content & archived content, but not deleted content.

If IG user goes IG live second time while IG user turned off IG live’s archive setting in first time’s IG live, IG user assume that second time’s live video will also be deleted from IG app & ended live video will not appear in creator studio’s calendar where other users (i.e. page advertiser) can see ended live video.

Should IG user turns off live’s archive setting whenever IG user ends IG live? If IG user goes IG live a second time while IG user forgot to check archive setting, ended IG live video will automatically be saved in creator studio’s calendar.

Why IG app automatically turns on live’s archive setting without the user’s consent? IG user may assume second live’s archive setting will also be turned off.

Tested device: iOS 14.4 & iPadOS 14.4

Tested app: Instagram iOS version 177.0

1 IG creator/business account(Victim User) which is connected to FB business page

1 FB account(Attacker user) who can access to IG account(i.e. page advertiser) in FB creator studio

Victim IG user turns off live’s archive setting from IG mobile app(Settings -> Privacy -> Story -> Save Live to Archive)

2. Victim IG user starts IG live

3. Victim IG user ends IG live and delete IG live

4. Repeat Step 2 & Step 3

5. Repeat Step 1, you will notice “Save Live to Archive” was turned on automatically.

6. Attacker FB user goes to creator studio’s calendar page.

IG live video is archived even if IG user turned off IG live’s archive in Step 1 because archive setting was turned on automatically.

When IG user ends IG live, IG mobile app should not turn on IG live archive setting without user’s consent because other FB user who can access IG account in creator studio can see ended Live video.

Reported: March 4, 2021

Triaged: March 6, 2021

Fixed: March 12, 2021

Bounty Awarded: March 31, 2021

文章来源: https://infosecwriteups.com/writeups-facebook-whitehat-program-2021-instagram-live-setting-bug-500-usd-d2d076b3f8bb?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh