A critical vulnerability that could permanently crash the comments section of all Instagram accounts, including high-profile users like Mark Zuckerberg, CEO of Meta Platforms and Facebook, was flagged by a student from Tamil Nadu on July 18, 2024. Three months later, Meta fixed the issue and rewarded Prathap Ilango, a final-year engineering student from Coimbatore, with a bounty.

The 20-year-old demonstrated how an attacker could upload a malicious Graphic Interchange Formate (GIF) in the comments section of Instagram posts resulting in the victim (user) experiencing repeated crashes. Others who commented on the posts would find their Instagram app freezing and crashing, rendering it unusable for about two minutes before restarting.

While testing some Instagram functions, Mr. Prathap, a security researcher, found that while uploading a GIF the app requested a “comment_text” parameter. After some experimentation, he realised that the ‘Zero Day’ vulnerability triggers a crash by altering certain inputs potentially impacting millions of Instagram accounts globally.

“This was not just a minor glitch but a fully developed vulnerability that allowed me to crash any post on Instagram permanently, making it completely inaccessible and causing a permanent denial of service (DoS). And yes, that includes crashing the comments section on any user’s post, even Mark Zuckerberg’s,” he said.

Mr. Prathap said the targeted comments section would become inaccessible not only to the victim but to any other user attempting to view it. The victim would have no idea what was causing the crash and he/she would not be able to delete the comment or interact with the post in any way.

He said the only option to resolve the issue was the attacker deleting the GIF followed by the victim deleting the post from a personal computer interface. The malicious content that triggered the crash would remain active until manually removed.

‘Hall of Fame’

Besides the bounty, Mr. Prathap, a certified ethical hacker, was also named in the Meta Security Researchers ‘Hall of Fame’.

“Previously, I have identified vulnerabilities and helped fix issues for over 100 top brands and startups, including Facebook, Delta Airlines and popular shopping brands,” he said.