In January 2025, I discovered a critical vulnerability within Instagram’s Meta Verified accounts system, allowing users to bypass the usual review process for username changes. Normally, a Meta Verified account must go through a review process before any username change is approved. However, this bug allowed users to change their usernames instantly without any review, compromising Meta’s verification and security protocols.
How the Vulnerability Worked
This vulnerability exploited Instagram’s review process for Meta Verified accounts. Here’s how the exploit unfolded:
- Accessing Instagram Lite: The attacker would use the Instagram Lite app (version 443.0.0.8.106).
- Changing the Username: The attacker would navigate to the Edit Profile section and change the username.
- Bypassing Review: Once the new username was saved, the system would allow the change without triggering the usual review process.
By exploiting this flaw, users could effectively bypass the manual review Meta employs for Verified accounts, potentially leading to impersonation or misuse of verified identities.
Risks and Impact
This vulnerability presented a range of potential risks:
- Impersonation of Verified Accounts: Malicious actors could impersonate verified profiles, leading to credibility and trust issues.
- Fraudulent Activities: Fake verified accounts could engage in fraudulent or harmful activities, including phishing or spreading misinformation.
- Security Threats: The vulnerability weakened the integrity of Instagram’s review system, affecting the security of high-profile accounts.
Meta’s Response
Upon reporting the issue to Meta through their Bug Bounty Program, Meta acknowledged the problem and began working on a fix. The issue was resolved after an investigation, reinforcing the review process to prevent further exploitation.
Resolution: Meta quickly addressed the flaw and implemented security measures to restore the integrity of their review process. The vulnerability has since been patched, ensuring that username changes on Meta Verified accounts are properly reviewed.
Conclusion
This vulnerability highlights the importance of continuous security testing and responsible vulnerability disclosure. By identifying and reporting this flaw, we helped improve the security of Instagram’s Meta Verified accounts, ensuring that verified users remain protected from exploitation.
Security researchers play a critical role in identifying emerging threats and ensuring platforms like Instagram stay secure. It is essential for businesses and users to stay vigilant and report any vulnerabilities they encounter, helping to maintain a safer environment for all.
