An Indian boy named Mayur Fartade from Solapur, knowing the skills of C++ and Python was able to find the flaw that allowed hackers to access targeted media on Instagram. As an appreciation for his work, Facebook has awarded him Rs 22 lakh for discovering bugs on Instagram. The bug allows anyone to see archived posts, IGTV, reels, and posts without following the person and even if the account is private. Although Facebook has now fixed the problem, the glitch may have allowed hackers to obtain unauthorized access to users’ private photos and videos if it had remained unfixed.
Mayur explained how the hackers can even track the person using Media ID, the issue may have exposed a user’s private images, including private/archived posts, stories, reels, and IGTV. By brute-forcing Media IDs, the attacker could also save images, videos, and data about individual media, he said in a comprehensive Medium article.
“Data of users can be read improperly. An attacker could be able to regenerate valid CDN URLs of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filters which are private and archived,” he said in the blog post.
The collected information from Instagram may potentially be used to get access to the Instagram account’s Facebook sites and to the pages attached with it.
On April 16th Fartade reported about the Instagram Bug issue via Facebook Bug Bounty Program. Later on April 19th, he got a response from Facebook requesting him to provide more information about the same. Facebook fixed the flaw on April 29, and on June 15, he was eventually paid Rs 22 lakh for discovering the hazardous issue.
Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.
Mayur is 21 years old and is a student. He said that initially, he did not find anything suspicious in Instagram related to the bug. But when he went through deeper into the feature like promotions, insights he was able to detect the flaw within the app. The Computer Science Engineering student Fartade, stated that this was his reward since he reported issues during his second year of college with the government websites. He wants to do bug bounty hunting part-time but wants to be a software engineer full-time.