Indian Hacker awarded ₹22 Lakh from Facebook for finding Instagram Bug under its Bug Bounty Program


    Facebook under its Bug Bounty Program has awarded Rs 22 lakh to an Indian hacker for discovering a malicious Instagram bug. The Instagram bug discovered by the Indian hacker would have permitted anyone to access previous Posts, Stories, Reels, and IGTV even if the user’s profile was private. Although Facebook has already fixed the problem, the Instagram bug would have allowed hackers to gain illegal access to users’ private photos and videos without having to follow them.

    Indian Hacker discovers Instagram Bug

    Mayur Fartade, the Indian hacker was the one who discovered the Instagram bug that allowed hackers to view selected media on the platform. By brute-forcing Media IDs, the attacker might have also been able to save photographs, videos, and metadata about specific media in addition to accessing user’s private images, such as private/archived posts, stories, reels, and IGTV.

    “Data of users can be read improperly. An attacker could be able to regenerate valid CDN URLs of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filters which are private and archived,” he said in the blog post.

    The information obtained from Instagram could have also given attackers access to the Facebook pages attached to the Instagram account.

    On April 16, Fartade originally reported the Instagram bug to Facebook under its Bug Bounty Program. On April 19, he received a response from Facebook, asking him to submit more details regarding the issue. Facebook patched the Instagram bug on April 29, and on June 15, the Indian hacker was awarded Rs 22 lakh for discovering the dangerous vulnerability.

    Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.

    Related Content

    Google sets up a challenge for Bug Bounty Hunters to find Bugs in Android 12

    Microsoft Teams launches Bug Bounty Program to offer upto $30K for vulnerabilities

    Recent Articles

    Applitools partners with Sogeti on 2021 State of Artificial Intelligence applied to Quality Engineering Report

      Applitools, a developer of next-generation test automation platforms such as Ultrafast Test Cloud and Visual AI, announced on the 26th of July that it...

    Trending in Testing Weekly Newsletter #4

      We are excited to present the 4th edition of “Trending in Testing” Weekly Newsletter. Here are the latest updates: Trending News: 1. Robotic Process Automation (RPA)...

    8 Great Resources to learn Testing and Automation in 2021

      One of the important stages in the development of the software process is software testing. There are hundreds of tools out there in the...

    Cypress 8.0.0 released with New Features and Bugfixes recently released Cypress 8.0.0 version, the new version comes with numerous bug fixes and new features. With the new version, all browsers will...

    Robotic Process Automation (RPA) Developer Career Path – Are you Ready to Begin?

      Are you interested in becoming a Robotic Process Automation (RPA) Developer? You might be asking yourself, “What is RPA?”, and that’s a perfectly valid question....

    Related Stories

    Stay on op - Ge the daily news in your inbox