I was trying to find some security flaw in Instagram, then i get caught on one endpoint that comes when you open any story of any user then this endpoint gets hit in the backend.
So, in this endpoint there are some parameters , among those there is one parameter “viewSeenAt” whose value is the exact time when you clicked on the story.
On tampering the last 2 digit of this value of parameter “viewSeenAt” to any previous number and then forwarding the request you can see the story of any user without getting caught in the Viewers list of the user story. Even if you now see the story again and again your name will not come under the viewer list of the user story.
Reported this issue to Facebook white hat program but they replied that they don’t consider this as a security issue and closed it.
So i thought of publishing about this issue here to my fellow bug bounty hunter friends.
Thanks for the read.