$25K Instagram Almost XSS Filter Link — Facebook Bug Bounty

Andres Alonso
3 min readSep 20, 2020

Hii, I’m Andres Alonso, Brazilian 14 years old. Today I am going explain how I accidentally found a critical stored XSS when I was making an Instagram integrated app.

Sometimes I work on my app to make Instagram filters by mobile, to make a functionality of my app I needed to understand how the Spark AR facebook filter creator app generates the filter links to test the filter on the smartphone.

When I generate the filter link the first request sent sets the name, file type, and size of the filter .arexport file.

Normally the default name of the preview is preview.arexport and not can be changed by the Spark AR app, because this I wanted to see more closely.

When I changed the name the filter test notification changed too, so with this, I tried to make more, I tried to make a code injection XSS or something in the Instagram app but without success.

so this changed when I had the idea to see in the desktop app, the filter not load obviously and the name not is shown in the page…

but not, when I searched the name of the filter on the page I found two meta tags with the filter name in the content

so with this, I tried an XSS with the allowed characters, I couldn’t use the open of an HTML code but I can use the double quotes to close the content.

All my tentatives to make an XSS fail because the meta tag is so limited and I can only close the double quotes, but I tried to make an open redirect, to make this I encoded the URL in HTML encoding to bypass the filter.


and put in this payload to redirect to the URL


and… THIS WORKS the user is redirect to the another page… but where's the XSS?

If you use “javascript:” before the url the script will be executed

but… only on specific browsers with specific versions

and i reported the Open Redirect citing a possible xss in some browsers

After the report, the Facebook Security Team rated this as can be escalated to an XSS.

I believe it happened because I can’t open the HTML code, but I can close this so with this I found some payloads that change the charset of the page and add code with another charset type bypassing the filter:

<meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi

I have to thank Facebook for make a little push in my report escalating to an XSS

Thank you for reading the article to the end and if you want you can follow me on instagram or twitter!