Cyber Security

Instagram vulnerability nets researcher $30k after exposing users’ private content

An ethical hacker has landed a $30,000 bug bounty payout after finding a security vulnerability in Instagram that potentially exposed users’ private content to nefarious actors.

Indian bug hunter Mayur Fartade claimed the prize from Facebook’s bug bounty program for an exploit that revealed victims’ private and archived posts, stories, video reels, and IGTVs (long-form, immersive videos).

The exploit, which did not require victims to accept the attacker as a follower, involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints, explained Fartade in a blog post.

The response duly returned display and image URLs, and like, comment, and save counts, among other details.

The vulnerable endpoints also exposed the URLs of Facebook pages linked to Instagram accounts.

Timeline

Fartade reported a vulnerable GraphQL endpoint on April 16 and the second vulnerable endpoint on April 23.

An initial fix implemented on April 29 was only partial, according to Fartade, but Facebook assured him that the bug was patched when it informed him of his huge windfall on June 15.

The Daily Swig has contacted Fartade and Facebook for further comment and we will update the article if and when responses are forthcoming.

Previous Facebook payouts

Fartade’s escapades are the latest in a string of hefty Facebook payouts to be documented by bug hunters.

This includes a $55,000 reward for the potential compromise of Facebook’s internal network via vulnerabilities in a third-party application, and $30,000 prizes for a three-bug exploit of Facebook and Oculus accounts, and creating hidden posts on Facebook pages without authorization.

And, earlier this month, an ethical hacker earned $3,000 after thwarting Android’s screen lock mechanism during a Messenger Rooms video chat to access users’ private Facebook content.

Source: https://portswigger.net/daily-swig/instagram-vulnerability-nets-researcher-30k-after-exposing-users-private-content

Click to comment

You May Also Like

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Business News

LONDON (AP) — Starting Friday, Europeans will see their online life change. People in the 27-nation European Union can alter some of what shows up when...

Business News

SAN FRANCISCO (AP) — Elon Musk may want to send “tweet” back to the birds, but the ubiquitous term for posting on the site he...

Business News

LONDON (AP) — Elon Musk has unveiled a new black and white “X” logo to replace Twitter’s famous blue bird as he follows through...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version