Facebook has newly rewarded an Indian security researcher a bug bounty worth $30,000 for detecting and reporting a critical Instagram vulnerability.

Facebook’s Instagram bug:

The security researcher, Mayur Fartade, reported an Instagram bug where anyone had the potential to view various posts of a private Instagram account.

The bug, which has now been disclosed by the developer, Mayur Fartade on a Medium post, could have depicted a major breach of privacy leading to a targeted identity theft and other cyber risks. The bug was reported to Instagram on April 15, 2021, and has been patched by the company now.

Detailing the vulnerability in Facebook’s Instagram, the security researcher stated that it could have permitted attackers to target specific posts of users and get access to them without having to follow them.

A prerequisite of private accounts is that random accounts cannot access user’s posts or other such data. exploiting the bug can lead to an elevated privilege that the malicious entities can use to view Instagram elements like “private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image.uri, Facebook linked page(if any), and other particulars, without following the user and by using Media ID. 

Also read,

Another critical cyber risk of the vulnerability is that can also let malicious actors to brute force a post’s Media ID and then use it to regenerate valid links to archived and private posts.

To do this, attackers could mal utilize the Instagram GraphQL tool from its developer library, enter the brute-forced Media ID of any targeted post, and run the tool to then get access to details such as the link to the post and its related particulars.

The bug could potentially expose numerous sensitive details and would have certainly qualified as a breach of privacy since non-followers getting access to content in a private account could lead to various incidents such as identity theft, blackmail, harassment, and more. 

Instagram has now reportedly patched the bug, which should make many regular users of the platform more relieved.