Reported on Saturday, 14 March 2020
Vuln Type
Read Data Improperly
Product Area
Android
Description/Impact
Complete Details
[This should be the longest section. Be as thorough and descriptive as possible.]
1. I was using the Instagram app and after seeing all the feed for a day. “Account you might like” appeared for connecting me with other users. There was one public account by the name VIT VELLORE(Official) in it. One more thing was written in it that it is “Followed by Google”. I was amazed to see Google following it. I opened and checked its followers but there was no Google in the follower’s list. On the other hand, Google is in the Following list.
of the account. So I got it verified that the follower and following accounts got interchanged due to backend logical error.
2. There was one more account with the name “ Celine Joseph” in the “Account you might like” section. There it was showing followed by “Indian air force”. I opened the account but it was a private account. Thus it means that the private user account following the list account is visible to the public. Thus a setback to the user’s privacy.
3. These two accounts Google and Indian Airforce are followed by me.
Here’s the screenshot
Impact
[What is the security or privacy risk to Facebook or its users?]
1. Big and reputable organizations will have a bad impact on their profile when the same scenario is written above in point 1. When any user will see a page with “followed by Google” in it, He will surely have a positive effect on him and creates trust in following a page that is followed by a big company like Google in our case.
2. The wrong information is shown to the public by interchanging the Follower and Following accounts. This creates a breach of trust for both users A and user B(Google).
3. In our 2nd scenario, a private account secret info is available for the public that creates a breach in the user’s privacy.
Repro steps
Setup
Environment: [App version 130.0.0.31.121]
Browser: [Instagram Android App]
OS: [Android 8.1.0]
Description: [replace this, add all complex setup details here]
Open the Android Instagram application on your mobile. After seeing all your posts, a window appears “Account you might like”. You can see the suggestions by the Instagram algorithms.
Steps
[Each step should be 1–2 sentences. Having many steps is fine.]
[Ensure each step is clear, concise, and complete]
==
1. Open the Instagram android app
2. See the whole day feed. (Optional)
3. See Account you may like feature appears
Facebook Reply:
I did not get the bounty but I learned a lot about the whole process.
If you learn something new, you can send some coffee here.😉
