Quick note — I built HackThrough . It turns real bug bounty writeups into interactive step-by-step challenges. This bug is on there. Go play it instead of just reading if that sounds interesting.
Imagine you're testing a new feature on Instagram called IGTV (their vertical video platform). You're uploading your own videos, adding descriptions, and everything works normally. Then you get curious: what happens if I change a number in the web address when I'm saving my video description?
That's exactly what JubaBaghdad (Sarmad Hassan) did in mid-2018. And what he found was shocking: by changing just one number, he could edit the description of anyone's Instagram post — not just his own. This vulnerability is called IDOR Let me break this down in simple terms.
What Is IDOR?
IDOR stands for Insecure Direct Object Reference. Sounds scary, but here's what it means in plain English:
Imagine you have a locker at school with your own combination. The system is supposed to check: "Does this person own this locker?" before letting them open it. But what if the system forgot to check? What if it just saw: "User wants to open locker #123" and opened it — without verifying that locker #123 actually belongs to that user? That's IDOR. The system uses a reference (like a locker number or a post ID) but doesn't check if you're allowed to access that specific thing.
How He Found the Weak Spot
While using IGTV, JubaBaghdad noticed this pattern when saving his own video description:
POST https://www.instagram.com/media/[HIS_VIDEO_ID]/edit/
caption=MyVideo &publish_mode=igtv&title=testThis was Instagram's way of saying: "MyVideo."
He wondered: "What happens if I change [HIS_VIDEO_ID] to someone else's video ID" (someone's video that did not have one set. The victim's id can be taken by hitting like button on that video and intercept the request using burp-suite).
So he tried:
He changed the video_ID and then the caption parameter
POST https://www.instagram.com/media/[SOMEONE_ELSE''S_VIDEO_ID]/edit/
caption=HACKED&publish_mode=igtv&title=test
To his surprise, Instagram's servers processed the request. They didn't check if he owned that video — they just tried to save the description to whatever video ID he gave them.
The Tricky Part: Error Messages That Lie
Here's where it gets interesting — and where many hunters would give up. When he sent that request, Instagram returned:
500 Internal Server Error
Oops an error occurredMost people would see that error and think: "Well, that didn't work. The system blocked me." But JubaBaghdad did something smart: he actually went and looked at the other person's Instagram post. And there it was — his description, live on someone else's content. The error message was misleading. The change had actually worked despite the scary-looking response.
Why This Mattered
At first glance, editing a description seems harmless. No credit cards leaked. No accounts hijacked. Just… words on a screen. But JubaBaghdad showed why this was actually serious:
- Imagine changing a brand's product description to say: "This product is dangerous — do not buy!"
- Imagine altering a memorial post to add offensive content during someone's time of grief
- Imagine changing a politician's statement to spread false information before an election
- Imagine doing this to thousands of posts at once to manipulate what people believe
This wasn't about stealing data — it was about hijacking trust. When you see something on Instagram, you assume it's from the person who posted it. This bug let attackers break that assumption.
The Good News: Facebook Responded Well
Facebook's security team took this seriously from the start:
- August 6, 2018: JubaBaghdad submitted the bug report
- August 14, 2018: They triaged it (confirmed it was real and important)
- August 15, 2018: They fixed the vulnerability
- October 10, 2018: They awarded him $6,500
Three weeks from report to fix. No endless arguments. They understood that being able to alter what millions of people see is a serious issue — even if it doesn't involve stealing passwords or money.
What This Teaches Us (Especially If You're New to Security)
- Always check the actual result: If you get an error message, don't assume it means "blocked." Go look and see what actually changed.
- New features need extra love: When companies rush out new features (like IGTV in 2018), security checks sometimes get missed. These are prime hunting grounds.
- Simple changes can have big effects: You don't always need fancy hacking tools. Sometimes changing one number in a web address is enough.
- Impact isn't just about data theft: Changing what people see can be just as harmful as stealing their information — sometimes more so.
- Document what you can do: Saying "I can edit descriptions" is weak. Showing why that matters (brand safety, misinformation risks, trust erosion) is what gets attention and payment.
The Bottom Line for Everyone
This bug from 2018 teaches a timeless lesson: websites and apps need to check not just "Is this user logged in?" but also "Is this user allowed to do this specific thing?"
For everyday users: Be aware that what you see online isn't always guaranteed to be from who you think it is — especially if it seems out of character.
For builders: Always validate ownership. If your app uses IDs in web addresses (like /posts/123/ or /users/456/), make double-sure the current user owns that specific item.
For hunters: Keep testing the edges. Change those numbers. Ignore scary error messages and check the real outcome. Sometimes the biggest holes are hiding in plain sight.
This vulnerability is dated, but the lesson remains fresh: trust but verify. And sometimes, the most powerful exploits are the ones that look almost too simple to be real.
Credit to JubaBaghdad for finding this responsibly and helping make Instagram a little safer for all of us. Original report: bugreader.com/jubabaghdad@add-description-to-instagram-posts-on-behalf-of-other-users-37
If you're trying to get your first bug bounty payout
I wrote a guide called Beginner to First $100 Bug Bounty Roadmap. No fluff, no theory, no "mindset" sections. Just the actual process — what to test, where to look, how to write a report that gets accepted. Two full real-world examples included, plus a 7-day plan to get started.
If you're in India: RazorPay (launch price ₹50 for first 20 buyers)
International: GumRoad ($1 for first 20 buyers, then $3.99)