Instagram Story Phone Crash: Investigation and Findings

Jul 6, 2024

Instagram Story Phone Crash: Investigation and Findings

Incident Overview

  • Tens of thousands impacted by an Instagram story causing smartphone crashes.
  • Account responsible: pg_talal.
    • Two main stories causing different issues based on the device.

Device-Specific Behavior

  • Android Phones: Purple screen with confetti and song "Your Love".
    • Cannot pause by holding finger on the screen.
  • iPhones: Grey screen with Arabic text.
    • Phone becomes completely unresponsive.

Initial Questions

  • How can an Instagram story crash phones?
  • Why does the content appear different on different devices?
  • What is the creator's intent (hacking, personal data theft, taking down Instagram)?

Previous Related Incident

  • Similar incident with a wallpaper crashing phones.
    • Deemed accidental due to photo editing.
    • Current Instagram story incident appears intentional.

Creator Overview

  • Profile analysis of pg_talal:
    • No profile picture, other text in Arabic.
    • Personal account private.
    • TikTok account with minimal activity.
    • Usage of Google Lens for translation: Captions were not insightful.

Data Collection and Experimentation

  • Tested different phones to see the effect of the story.
    • High-end Android phones (Samsung Galaxy S21 Ultra): No crash.
    • Mid-range Android phones (Nokia): Struggles but functions.
    • Low-end Android phones: Crashes completely.

Technical Breakdown

  • Hypothesis: High processing power or RAM needed due to story content.
  • Assembly of expert team for deeper analysis:
    • Developers from various backgrounds.
    • Cybersecurity researcher: Annanei.
  • Instagram story contains more than visible elements.
    • Use of Instagram web's inspect tab to analyze story's raw data.

Key Findings

  • Use of Instagram stickers (countdown timer & quiz) with enormous scaling values.
    • Normal story elements have scale 0-1 values.
    • pg_talal's elements have 18-digit scale values, spanning quintillions of phones.
    • Android displays parts of the countdown timer; iPhone fails to render and crashes.

Behind the Scenes: HTTP Proxy Usage

  • Talal potentially used an HTTP proxy to modify data before reaching Instagram servers.
    • Allows modification of scale and location values of stickers to astronomical numbers.
  • Instagram failed to handle improper scale values, leading to crashes.

Conclusion: The Creator's Intent

  • Speculated intention: Fun, challenge, and highlighting security vulnerabilities.
    • Facebook (Instagram owner) has a history of rewarding vulnerability finders.
  • Creator revealed to be a self-taught 14-year-old developer.

Future Implications and Observations

  • Attempts to recreate the crash using HTTP proxy.
    • Managed to replicate non-crashing purple-screen on Android.
    • Instagram has partially patched the issue.
  • New exploits constantly being created.
    • Example: A sequence of characters crashing the Instagram app (less severe than full phone crash).

Key Takeaway

  • No software is completely secure; continuous monitoring for new vulnerabilities needed.