Private posts, stories, video reels, and IGTVs were accessible
UPDATED An ethical hacker has landed a $30,000 bug bounty payout after finding a security vulnerability in Instagram that potentially exposed users’ private content to nefarious actors.
Indian bug hunter Mayur Fartade claimed the prize from Facebook’s bug bounty program for an exploit that revealed victims’ private and archived posts, stories, video reels, and IGTVs (long-form, immersive videos).
The exploit, which did not require victims to accept the attacker as a follower, involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints, explained Fartade in a blog post.
The response duly returned display and image URLs, and like, comment, and save counts, among other details.
The vulnerable endpoints also exposed the URLs of Facebook pages linked to Instagram accounts.
Fartade reported a vulnerable GraphQL endpoint on April 16 and the second vulnerable endpoint on April 23.
An initial fix implemented on April 29 was only partial, according to Fartade.
However, a spokesperson for Facebook told The Daily Swig: “This issue has now been resolved, and we have not discovered any evidence of abuse.”
Previous Facebook payouts
Fartade’s escapades are the latest in a string of hefty Facebook payouts to be documented by bug hunters.
This includes a $55,000 reward for the potential compromise of Facebook’s internal network via vulnerabilities in a third-party application, and $30,000 prizes for a three-bug exploit of Facebook and Oculus accounts, and creating hidden posts on Facebook pages without authorization.
And, earlier this month, an ethical hacker earned $3,000 after thwarting Android’s screen lock mechanism during a Messenger Rooms video chat to access users’ private Facebook content.
This article was updated on June 25 with comments from Facebook.