An ethical hacker has landed a $30,000 bug bounty payout after finding a security vulnerability in Instagram that potentially exposed users’ private content to nefarious actors.
Indian bug hunter Mayur Fartade claimed the prize from Facebook’s bug bounty program for an exploit that revealed victims’ private and archived posts, stories, video reels, and IGTVs (long-form, immersive videos).
The exploit, which did not require victims to accept the attacker as a follower, involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints, explained Fartade in a blog post.
The response duly returned display and image URLs, and like, comment, and save counts, among other details.
The vulnerable endpoints also exposed the URLs of Facebook pages linked to Instagram accounts.
Timeline
Fartade reported a vulnerable GraphQL endpoint on April 16 and the second vulnerable endpoint on April 23.
An initial fix implemented on April 29 was only partial, according to Fartade, but Facebook assured him that the bug was patched when it informed him of his huge windfall on June 15.
The Daily Swig has contacted Fartade and Facebook for further comment and we will update the article if and when responses are forthcoming.
Previous Facebook payouts
Fartade’s escapades are the latest in a string of hefty Facebook payouts to be documented by bug hunters.
This includes a $55,000 reward for the potential compromise of Facebook’s internal network via vulnerabilities in a third-party application, and $30,000 prizes for a three-bug exploit of Facebook and Oculus accounts, and creating hidden posts on Facebook pages without authorization.
And, earlier this month, an ethical hacker earned $3,000 after thwarting Android’s screen lock mechanism during a Messenger Rooms video chat to access users’ private Facebook content.
