When I was browsing Instagram using my iPhone and clicked a link, I noticed that Instagram launched a feature named Link shim. This is used to protect Facebook and Instagram users from malicious URLs.
So my first step was to test Instagram for an Open Redirect. When you click any URL on Instagram it will look similar to the following
So i cleared my session cookies, web cache and tested the effect of changing the
u parameter to another url
This tells the user that he/she will be redirected to another URL.
Leaving Instagram You followed a link on instagram.com that redirects to http://ameeras.me
If the user clicked the
follow link he/she will be redirected to
Hmmm, let’s try to change this Open Redirect to XSS !
I returned to
and changed the url in
u parameter to
Then I clicked
The last line
location.href was vulnerable to XSS.
Here is a demonstration with Instagram session cookies
Facebook has since filtered for invalid links
- June 20, 2016: Bug Reported
- June 22, 2016: Facebook confirms the vulnerability
- June 23, 2016: Facebook informs me they have fixed the issue
- June 30, 2016: bounty awarded
finally i would like to thank @phwd for helping make this write-up