This is how i was able to Permanently Crash all Mapillary users within minutes

Hello everyone! Myself Abhishek Pathak from Gorakhpur, Uttar Pradesh, I’m 17 years old. This is my first Bug Bounty from Facebook Social Media Platform (Meta, Inc)

About Mapillary

Mapillary is a street level imagery platform acquired by Facebook (Meta, Inc) in June 2020, It combines street images from any camera into a visualisation to improve maps.

Description

This bug could allow an attacker to remotely permanent crash Mapillary Android app users by supplying their account’s UID (Unique ID).

Impact

An attacker can crash it’s main feature called “Capture” and “Organization” options of a particular user without doing any interaction. Which can permanently stop an user to capture and upload images.

Story and Repro Steps

One day i was talking to my friend Mayur Fartade, He told me about Facebook’s new acquisition “Mapillary” that got listed in their Bug Bounty page. So, i instantly took my laptop and started digging it.

Timeline

02 Oct 2021 — Initial Report

Infosec Stuffs! :)