if left untouched, the bug would have allowed hackers to gain illegal access to the private pictures, videos of users without following them.

New Delhi: Social media giant Facebook on Wednesday awarded a bounty of $30,000 (Rs 22 lakh) to an Indian developer for detecting malicious a bug on the Instagram app. According to reports, the malicious bug could allow anyone to view archived posts, Stories, Reels and IGTV without following the user, even when the profile is still in private mode. Although the bug has now been addressed by Facebook, if remained untouched, the bug would have allowed hackers to gain illegal access to the private pictures, videos of users without following them.

This Solapur-based developer with the name Mayur Fartade detailed the issue in a post on Medium. Highlighting the issue, he said the bug could allow a potential hacker to regenerate valid cdn url of archived stories and posts. Also by brute-forcing Media ID’s, the attacker could store the details about specific media and later filters which are private and archived.

Giving further details, the developer said that the entire timeline — from raising the issue to getting it fixed — took around two months.

“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he said in the blog post.

As per the report, he first reported the Instagram bug through the Facebook Bug bounty program on April 16. He got a response from Facebook on April 19 where the social media giant requested him to provide further information about the same. And then, Facebook on April 29 patched the vulnerability and on June 15 he was finally awarded Rs 22 Lakh for unearthing the dangerous bug.

Even though the bug does not look as dangerous in the beginning as it required the hackers to know the media ID associated with an image, video, or album, by brute-forcing the identifiers. However, Fartade showed that it was possible to craft a POST request to a GraphQL endpoint and retrieve sensitive data.

After he highlighted the matter, Facebook immediately responded to him saying that he has pointed a scenario that could have allowed a malicious user to view targeted media on Instagram.

Not just Mayur Fartade, another Indian researcher Laxman Muthiyah became the recipient of a $50,000 award by Microsoft in March this year under the company’s bug bounty program.

As per reports, Microsoft awarded him for spotting a vulnerability that could lead to someone’s Microsoft account getting hacked. In a similar manner, he had earlier detected an Instagram rate limiting bug that could help hijack someone’s account. He then checked for the same vulnerability on Microsoft’s account.

For breaking news and live news updates, like us on Facebook or follow us on Twitter and Instagram. Read more on Latest India News on India.com.

Topics:

Published Date: June 16, 2021 4:28 PM IST

This Solapur-based Developer Wins Rs 22 Lakh From Facebook For Flagging Malicious Instagram Bug

According to reports, Mayur Fartade first reported the Instagram bug through the Facebook Bug bounty program on April 16. Then, he got a response from Facebook on April 19 where the social media giant urged him to provide further information about the same.