In this write-up, I have shared the story of an Instagram bug where deactivated account could be silently reactivated without victim's knowledge.
✨ Non-members can read this write-up for free using this link.
Hi everyone, this is Shubham Bhamare. Today, I'm going to share the story of one of the most creative and painful findings of my bug hunting journey. The target? Instagram, which of course means Meta. 😅
This one is special, not because of the bounty (spoiler: there isn't one 🥲), but because of everything around it. A last-minute hunt on New Year's Eve just to keep a streak alive. A bug that could silently reactivate someone's Instagram account without them ever touching their phone. A Meta security analyst who told me it would get a bounty. And then… well. You'll see. 😅
Let's get into it! 🚀
Long story short:
Let me set the scene before we get into the bug. 😄
I've been on the Meta Whitehat Hall of Fame for 4 consecutive years: 2018, 2019, 2020, and 2021.
But in 2022, life got busy. Other things took over, and I had almost completely stepped away from bug hunting. I hadn't found anything that year and had basically accepted that my streak was ending at 4.
Then, towards the very end of December 2022, a close friend of mine said something that changed everything: "You've been on Hall of Fame for 4 consecutive years. Why not hunt for just one more bug in 2022? It'll make it 5 consecutive years." That was all I needed to hear. 😄
So, on December 31st, with barely any time left in the year, I gave Meta (particularly Instagram) one last shot, and found this bug.
The bug:
It was simple. When someone (an attacker) initiates password reset for a deactivated Instagram account, Instagram sends password reset link via SMS to the registered phone number. 👇
Now, most modern devices: iPhones with Rich Link Preview, Android phones with Google Messages, and many other popular messaging apps, have a feature called Link Preview. This feature automatically visits any link that arrives in a message, to fetch a preview of that content. User (a victim) doesn't tap on anything, doesn't even have to look at their phone. The app does it silently, automatically in the background.
Here's where it gets dangerous:
Instagram treats that automatic link visit as a valid session trigger, and reactivates the deactivated account on the spot.
So the attack looks like this:
- Victim has deactivated their Instagram account for privacy or security reasons.
- Attacker initiates a password reset for victim's account (all they need is victim's phone number, email, or just username).
- Instagram sends a password reset SMS with link to the victim's phone.
- Victim's messaging app automatically visits that link in the background to generate a preview. (Note: victim does need to have link preview feature enabled. But on most devices and SMS apps, it comes pre-enabled by default, so most users won't even realize it's on.)
- And BOOM! Victim's deactivated Instagram account is now public and reactivated. Without them doing anything or unlocking their phone. 😱
And to make it worse:
Instagram has a 7-day waiting period before user can deactivate their account again. So even if the victim notices immediately, their account stays public and active for a whole week with no way to take it down. 🥲
Timeline:
(The truly painful part of this write-up 😅)
Dec 31, 2022: Report sent.
Jan 1–12, 2023: Sent additional details, tested on multiple real devices including iPhone, Xiaomi, OnePlus, Samsung, Vivo. Confirmed easily reproducible on all these devices.
Jan 12, 2023: Triaged. They sent it to the appropriate product team for further investigation.
During this period, I was also connected to Meta's Whitehat Workplace instance, a platform where security researchers could communicate directly with members of Meta's security team. I reached out to Teo (who triaged this report) there as well, and he told me that this was a "creative bug", and it would definitely get a bounty.
So, at this point I was happy and fully assured, not just about the bounty, but more importantly, about making it onto the 2022 Hall of Fame.
Feb 9, 2023: They replied to my follow-up messages sent in the meantime.
May 17, 2023: They replied to my follow-up messages.
Fast forward to May 15, 2024: Meta said they couldn't reproduce the issue on their end and asked me for a video proof of concept.
May 21, 2024: I confirmed it was still reproducible on my end and shared a fresh video PoC.
(I sent multiple follow-ups in the meantime.)
July 31, 2024: Meta replied with this:
Feb 18, 2025 (after almost 2 years): Meta closed it as Informative. 🥲
They fixed this by showing a confirmation page to reactivate Instagram account when password reset link is opened.
Also read:
- This is How I Turned an Informative Bug into a Valid $500 Bug (Bounty: 500 USD)
- Missing rate-limiting. How I was able to add any unowned phone number to my Facebook account? (Bounty: 5000 USD)
- Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD)
- Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD)
- Facebook page admin disclosure by "Create doc" button (Bounty: 5000 USD)
That's all for now! Thanks for reading, and stay tuned for my next write-up. Let's connect on other platforms as well. Check out my Linktree here.