Instagram vulnerability : Turn off all type of message requests using deeplink (Android)
Instagram vulnerability description:
In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.
Instagram’s Android app has implemented a deeplink instagram://turn_off_message_requests that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.
Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like FB_APP_COMMUNICATION and Attacker could have able to disabled all receiving messages of Instagram user.
Repro steps:
Instagram android app version: 258.1.0.26.100
Goto Instagram for Android > Messages > Tools > Message controls
Set
deliver requests totomessage requestsClose Instagram app
Launch
instagram://turn_off_message_requestsdeeplink.Open Instagram app and goto message controls, you can see all option become
Don’t receive.
POC:
Timeline:
- 29/10/2022: Report submitted.
- 02/11/2022: Triaged
- 09/11/2022: Bounty
- 20/12/2022: Fixed
Follow me on Twitter:
https://twitter.com/RahulKankrale