This is how i was able to Permanently Crash all Mapillary users within minutes

About Mapillary

Mapillary is a street level imagery platform acquired by Facebook (Meta, Inc) in June 2020, It combines street images from any camera into a visualisation to improve maps.

Description

This bug could allow an attacker to remotely permanent crash Mapillary Android app users by supplying their account’s UID (Unique ID).

Impact

An attacker can crash it’s main feature called “Capture” and “Organization” options of a particular user without doing any interaction. Which can permanently stop an user to capture and upload images.

Story and Repro Steps

One day i was talking to my friend Mayur Fartade, He told me about Facebook’s new acquisition “Mapillary” that got listed in their Bug Bounty page. So, i instantly took my laptop and started digging it.

Timeline

02 Oct 2021 — Initial Report

--

--

Infosec Stuffs! :)

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store