Mayur Fartade, an Indian ethical hacker, has just won Rs. 22 Lakh for uncovering and reporting a major bug in the social media platform, Instagram. The bug allowed anyone to view a private account’s archived posts, stories, reels and IGTV without following the user profile. This was deemed by Fartade as a ” Malicious bug which could allow someone to view targeted media on Instagram”. The Facebook owned social media company has since addressed this issue and rewarded Fartade handsomely.
A letter, addressed to the ethical hacker, was sent by Facebook to appreciate his efforts. It thanked him for reporting the bug and encouraged him to report any more bugs, if found, in the future. He first reported this bug to the company on 16th April and they wrote back to him on 19th, seeking more information on the bug.
He said, “An attacker could be able to regenerate valid cdn url of archived stories and posts. By brute-forcing media, the attacker could be able to store the details about the specific media and later filter which are archived and private.”
Due to this bug, some details like comments, likes, display image url, image uri etc could be extracted by the attacker without needing to follow the profile. Under the bug bounty program which Facebook offers, it allows people to disclose such flaws and bugs on the software, and if it is deemed a legitimate bug, they can be rewarded well. Fartade claims that Facebook awarded him Rs. 22 Lakh for discovering and reporting this bug.
Facebook has since addressed and resolved this issue on June 15 by patching the bug, two months after Fartade initially reported the error.