Facebook on June 16 awarded a Rs 22 lakh to an Indian developer for detecting malicious a bug on the Instagram app. According to reports, the malicious bug could allow anyone to view archived posts, Stories, Reels and IGTV without following the user, even when the profile is still in private mode.
This Solapur-based developer with the name Mayur Fartade detailed the issue in a post on Medium. “Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he said in the blog post.
Although the bug has now been addressed by Facebook, if remained untouched, the bug would have allowed hackers to gain illegal access to the private pictures, videos of users without following them.
Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfils its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.