Facebook under its Bug Bounty Program has awarded Rs 22 lakh to an Indian hacker for discovering a malicious Instagram bug. The Instagram bug discovered by the Indian hacker would have permitted anyone to access previous Posts, Stories, Reels, and IGTV even if the user’s profile was private. Although Facebook has already fixed the problem, the Instagram bug would have allowed hackers to gain illegal access to users’ private photos and videos without having to follow them.
Indian Hacker discovers Instagram Bug
Mayur Fartade, the Indian hacker was the one who discovered the Instagram bug that allowed hackers to view selected media on the platform. By brute-forcing Media IDs, the attacker might have also been able to save photographs, videos, and metadata about specific media in addition to accessing user’s private images, such as private/archived posts, stories, reels, and IGTV.
“Data of users can be read improperly. An attacker could be able to regenerate valid CDN URLs of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filters which are private and archived,” he said in the blog post.
The information obtained from Instagram could have also given attackers access to the Facebook pages attached to the Instagram account.
On April 16, Fartade originally reported the Instagram bug to Facebook under its Bug Bounty Program. On April 19, he received a response from Facebook, asking him to submit more details regarding the issue. Facebook patched the Instagram bug on April 29, and on June 15, the Indian hacker was awarded Rs 22 lakh for discovering the dangerous vulnerability.
Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.