Hello readers,
My name is Baibhav Anand Jha and today I want to share with you how I was able to bypass the restriction in Instagram stories by replying to stories on which replies were disabled by the account owner and got rewarded by Facebook.
How I managed to do so?
Assume me as user A.
Let say there are two users, User A and User B, user B uploaded a story in which he disabled the replies.
Now, User A somehow found a way to pop up keyboard on his phone, which can be done by many ways, lets say while user A was watching Instagram story of user B he recieved a message in WhatsApp by someone and as user A clicked on the reply button in WhatsApp’s pop up message keyboard appears on screen and boom there is a reply option in Instagram story.
But the send button was still not working because of the restriction, now user A notices that there is also an option to send photos as reply to Instagram story, and upon clicking that he could send any text and any image to any Instagram account despite of restriction by the account owner.
How did I find it?
One fine day, I was on my couch surfing internet as usual, and I was watching the Instagram stories of people I followed, There was around 20 story by Unbox Therepy (A popular tech youtuber.) and he had disabled replies for the story and suddenly one of my friend messages me on WhatsApp and I click on the reply button and the keyboard pops up and suddenly I see that the story had a reply option, I was amazed!, but while trying to reply the the story the send button didn’t work because of the restriction by the owner but then when I tried to send him an image instead of a text reply and BOOM I could reply to his story.
Now what?
First I thought it was a broken feature and there is no point in reporting it but then I was like, NO! I just bypassed their security restriction by replying to his story, I must report this issue to Facebook Security Team.
The Bug Report
On 3rd February, Saturday, 2019: I created a bug report stating how I could bypass the Instagram’s restriction where I was able to reply to stories of which the replies were disabled and attached a video POC with the report.
Here is the video that I sent them : https://drive.google.com/file/d/17WZvdGKvzeBz5OPq4PlEUPXF35XaziHv/view?fbclid=IwAR2EEdEPCmR75-Mvcgam10KFvxQBCGeKI7ZpkfpzrhLPzjdryxyw8Mt2Edg
On 7th February, Thursday, 2019 : They thanked me for the submission and stated that they are working to reproduce my report.
On 13th February, Wednesday, 2019: They thanked me again and sent my report to the appropriate product team for further investigation.
On 24th April, Wednesday, 2019: They messaged me stating the vulnerability has been patched and they will follow up regarding bounty decisions.
On 30th April, Tuesday 2019: $500 Bounty Awarded.
Here is the message they sent me: 
Hope you guys enjoyed going through the article. I will be sharing more such articles as I progress in my journey of making the Internet safer.
About Me
I am Baibhav Anand Jha, a 16 year old tech enthusiast from Nepal who is in a journey of securing the Internet.
Find me on: Facebook
Find me on: Instagram
Find me on : Twitter