An Indian developer has been awarded a bounty of $30,000 by Instagram for flagging a bug that could allow any to view archived posts, Stories, Reels and IGTV without following the user — when the profile of the former is private.
The Indian developer, Mayur Fartade, detailed the issue in a post on Medium. He said this bug could allow a potential attacker to “to regenerate valid cdn url of archived stories and posts. Also by brute-forcing Media ID’s, the attacker was able to store the details about specific media and later filters which are private and archived.”
He also said that the entire timeline — from raising the issue to it getting fixed — was around two months.
This bug may not look as dangerous at first as it required the attackers to know the media ID associated with an image, video, or album, by brute-forcing the identifiers. However, Fartade showed that it was possible to craft a POST request to a GraphQL endpoint and retrieve sensitive data.
Facebook then responded to him saying that he has highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram.
Back in March, Indian researcher Laxman Muthiyah became the recipient of a $50,000 award by Microsoft under the company’s bug bounty program. Microsoft awarded the Indian researcher for spotting a vulnerability which could lead to someone’s Microsoft account getting hijacked. He had earlier found an Instagram rate limiting bug that could help hijack someone’s account. He then checked for the same vulnerability on Microsoft’s account.
As per Muthiyah, the vulnerability could “have allowed anyone to take over any Microsoft account without consent [or] permission.” Microsoft issued the award of $50,000 through the HackerOne bug bounty platform.