Description
There exists a GraphQL endpoint in Instagram which allowed me to view Ad account linked to an Instagram Profile.
Impact
A malicious user could've used this bug in order to retrieve Ad account linked to an Instagram Account, which would lead to Identification/De-anonymization.
Proof of concept
POST
https://i.instagram.com/api/v1/ads/graphql
doc_id=REDACTED&query_params=
{"query_params":{"access_token":"","id":"userID"}}Timeline
6 November 2021 - Report sent
8 November 2021 - Reply from Security Personnel: Need More Info
11 November 2021 - Triaged
2 December 2021 - 1500$ Bounty rewarded by Meta