I intercepted all the HTTP requests using burp and after forwarding some requests I saw the following HTTP request. For testing, I changed my reel thumbnail. After spending some time with the target I came to the point where users can edit their reels cover photo (thumbnail). Initially, I tested on Instagram Ads GraphQL API but after long hunting, when I could not find any bug there I started hunting on the Instagram reels section.
I started hunting on the Instagram app in December 2021. So How I Found This Bug - Storyline (without technicals) Using this vulnerability the attacker could have changed the reel thumbnails of any Instagram user by knowing clips_media_id(Media ID of reel) of that user.
Hello everyone, I am Neeraj Sharma, a 20-year-old Security Enthusiast from India. How I found a Critical Bug in Instagram and Got 49500$ Bounty From Facebook
