In January 2025, I discovered a critical vulnerability within Instagram’s Meta Verified accounts system, allowing users to bypass the usual review process for username changes. Normally, a Meta Verified account must go through a review process before any username change is approved. However, this bug allowed users to change their usernames instantly without any review, compromising Meta’s verification and security protocols.
How the Vulnerability Worked
This vulnerability exploited Instagram’s review process for Meta Verified accounts. Here’s how the exploit unfolded:
- Accessing Instagram Lite: The attacker would use the Instagram Lite app (version 443.0.0.8.106).
- Changing the Username: The attacker would navigate to the Edit Profile section and change the username.
- Bypassing Review: Once the new username was saved, the system would allow the change without triggering the usual review process.
By exploiting this flaw, users could effectively bypass the manual review Meta employs for Verified accounts, potentially leading to impersonation or misuse of verified identities.
Risks and Impact
This vulnerability presented a range of potential risks:
- Impersonation of Verified Accounts: Malicious actors could impersonate verified profiles, leading to credibility and trust issues.
- Fraudulent Activities: Fake verified accounts could engage in fraudulent or harmful activities, including phishing or spreading misinformation.
- Security Threats: The vulnerability weakened the integrity of Instagram’s review system, affecting the security of high-profile accounts.
Resolution and Fix
After discovering the vulnerability, I reported it through Meta’s Bug Bounty Program, providing detailed reproduction steps and a proof-of-concept video. Meta acknowledged the issue and implemented a fix to secure the system.
