Hello, it’s Mano Prasanth here,

This write-up is about a simple Rate-limiting bug which I found on Instagram.

This is my first bug report at Instagram. As a noob bug hunter, I tried various hunting methods to find a bug in Facebook. First, I started with Authentication and moved further into other types. But it seemed everything was secure with authentication, to my knowledge :/ (Anyway nothing is completely secure).

Before this report, I was hunting in the Bugcrowd, but unfortunately my previous reports were duplicated. Then I started to hunt private programs and got some valid bugs. Then thought of finding bugs in GAFAM and decided to hunt for Facebook’s acquisitions.

This isn’t a severe bug but rather a low-level bug that has the potential to get rid of your enemies in Instagram Lol.

This bug allowed anyone on Instagram to report a user unlimited number of times (Abuse risk). If you try to do it manually, you might end up frustrated or wasting a day. Generally, most of the tech giants limit these types of bugs by rate limiting in their POST requests or by using WAF, Captcha, etc. But Instagram haven’t implemented any rate limit in the report user feature. To start the attack, I used Burpsuite to manipulate the Request-Reponse cycle. In Instagram before submitting the report, I have intercepted that particular POST request and forwarded it to the intruder to make it easier. Then, I have selected a position for payload. Choosing the position for payload should not have any effect on the response. Instead of NULL Payload I have chosen a position in the Header - Accept-Language: en-US,en;q=0.$5$. Then I started the attack with 100 payloads. I got HTTP 200 OK Status Code & all reports submitted in the response like “text”:”Thank you, we received your report”. Generally, you will get Rate limit exceeded response after four to five POST request. But…….

Below is the impact of the attack which I submitted to Facebook.

Impact:
It seems that there is no rate limiting in the user account report feature which leads to a large number of report submission. It will stack up in your reports causing inconvenience to work with the report feature. You may not know whether the reports are true or not unless you check it individually, and it may lead to spam with this feature.

I know rate-limit-related bugs usually don’t qualify for bounties. But I tried to report my close friend from four Instagram demo accounts each with 100 reports and everything worked perfectly. I didn’t complete these attacks and immediately terminated the attack to report this issue to Facebook. So, this may definitely gain some attention from Facebook. There are two chances here. They may either filter the reports arising from same accounts or they might not inspect every report and only just look at the number of counts. If the latter is true then there are some chances that your account might be considered for deletion. You don’t know unless you are an employee at Facebook managing this report feature. Facebook admitted that they won’t look into each report but if an account reaches enough reports, then we will examine some reports and take action against it. Though Facebook has internal protocols to deal with before deleting a user, this bug could have allowed anyone to spam Instagram users and Facebook’s internal infrastructure.

Though rate-limiting bugs don’t get me bounties, it’s quite amusing to spam friends. I once sent 179 invitation messages (better than SMS bomber) within a span of 5 minutes with the help of a misconfigured rate limit in the landing page of Glance.

Thanks for reading:)

Happy Hunting!!

LinkedIn: https://www.linkedin.com/in/mano-prasanth-m-908b061b8/