Facebook triage team escalated an open redirect flaw found by the Brazilian teenager in the augmented reality tool

Critical stored XSS vulnerability in Instagram Spark AR Studio nets 14-year-old researcher $25,000

A 14-year-old ethical hacker has netted a $25,000 bug bounty after the discovery of a critical stored cross-site scripting (XSS) vulnerability in Instagram’s Spark AR Studio.

Instagram users can use Spark AR Studio to create ‘augmented reality’ (AR) effects for photos and videos taken with smartphone cameras.

Andres Alonso first reported an open redirect flaw in how the tool creates AR filters to Facebook’s security team, which then escalated the bug to an XSS vulnerability.

Malicious filter files

The Brazilian teenager said he wasn’t actually hunting for security flaws when he alighted on a potential bug in the platform.

In a Medium post published yesterday (September 20) that retraced the steps leading to his discovery, Alonso said he was making Instagram filters tfor his own app. To do so, he “needed to understand how” Spark AR “generates the filter links to test the filter on the smartphone”.

However, when he changed the name of the preview file (preview.arexport) “the filter test notification changed too”. This prompted him to attempt XSS with a malicious filter file “but without success”, since “the meta tag is so limited” and he could only close the exploit code with double quotation marks.

Changing tack, he “tried to make an open redirect” by using HTML encoding to bypass the filter (http://www.evilzone.com) and injecting this payload: 0;url=http://www.evilzone.com"HTTP-EQUIV="refresh"any=".arexport.

This successfully redirected the user to a potentially malicious external domain, proving that the open redirection exploit worked.

Notifying Alonso of the decision to award him $25,000, Facebook’s security team wrote: “Although your original report is about an open redirect issue, we further investigated and found that it could be escalated to XSS.”

Alonso surmised that it was possible to achieve XSS by injecting the charset attribute with the modified UTF-7 charet to encode the XSS payload.

Facebook, which owns Instagram and runs its accompanying security bug bounty program, said it had verified that the vulnerability hasn’t been exploited in the wild.

Expanded program

Alonso’s payout comes just two months after Facebook announced the addition of Spark AR and the Hermes JavaScript engine to its bug bounty program because of “the popularity of AR effects” among its users.

The maximum possible reward under the program – $40,000 – is available for achieving remote code execution (RCE) when running a Spark AR effect, through flaws in the Spark AR platform or the Hermes JavaScript VM (virtual machine).

Alonso, who only signed up to HackerOne in February, has reportedly had another security flaw validated by the BMW Group.

Other teenage bounty winners

The teenage researcher is not even the youngest ethical hacker to find a security flaw in Instagram.

In 2016, a 10-year-old Finnish schoolboy earned a $10,000 bounty after finding an API bug that allowed him to erase comments from any account on Instagram – a platform he was using in defiance of the the social media platform’s minimum age restriction.

Another teenage hacker to hit the headlines is Argentinian researcher Santiago Lopez, who was 19 when he became the first ethical hacker to make a million dollars through bug bounties in 2019.

The Daily Swig has contacted Facebook for comment and will update the article if and when we hear back.


RELATED Internal Facebook systems exposed via unpatched Apache library