Instagram, Privacy and iFrames

In 2018, I discovered a side-channel vulnerability that would eventually come to be known as Cross-Site Leaks (XSLeaks). This blog post aims to shed light on this issue, using the case study of Instagram, one of the most substantial social networks in the world with one billion reported monthly active users as of June 2018.

Instagram provides its users with a choice between a public or private account. A private account only publicly discloses the user's profile picture and name, while the rest—posts and followers list—remain concealed unless access is granted by the user. This accessibility can be revoked anytime, reinforcing the user's control over their privacy.

Interestingly, it was these very privacy features that inadvertently enabled the exploit I discovered. I observed that Instagram rendered numerous iframe tags on public profiles. Conversely, for private accounts, a different page—displaying only the profile picture, name, and a privacy notice—would be rendered without any iframe tags.

The critical point to note here is that cross-origin sites are permitted to ascertain the number of iframe tags present in Window objects they have a reference to. This information can be procured using the simple code:

The 'popup' variable now refers to the Instagram window object and inadvertently leaks the number of iframe elements contained in it.

As a result, any website could potentially gain insight into your Instagram activities by determining who you follow, given this leak. This situation could be especially alarming for users following accounts associated with sensitive topics like protests or political events, as such information could be quite revealing.

Significantly, this exploit could have been successfully implemented even if all parties were operating private Instagram accounts.

Upon discovering this vulnerability, I responsibly reported the issue to the Facebook security team on December 12, 2018. My efforts were acknowledged by Facebook, which honored me by adding me to their 'white hat' Wall of Fame (https://www.facebook.com/whitehat/thanks) and awarded me a $1,000 cash bounty.