Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Earns $30,000 for Instagram Flaw Exposing Private Posts

A researcher says he has earned $30,000 through Facebook’s bug bounty program for reporting an Instagram vulnerability that exposed private posts.

A researcher says he has earned $30,000 through Facebook’s bug bounty program for reporting an Instagram vulnerability that exposed private posts.

In a blog post published on Tuesday, Mayur Fartade, a researcher based in India, said the flaw could have been exploited to access private or archived posts, stories, reels and IGTV videos without following the user whose content was targeted.

The security issue was serious, but its severity was mitigated by the fact that an attacker would need to somehow obtain the ID of the targeted media.

Sending a specially crafted POST request with the targeted content’s media ID to a certain Instagram domain resulted in a display URL — this showed the targeted content — and additional data being returned.

Instagram data returned due to vulnerability

However, the researcher said hackers could have also obtained these media IDs using brute-force attacks. They could have used brute-forced IDs to collect data, and then determine which of the content was private or archived.

The vulnerability was reported to Facebook in mid-April and it was partially patched roughly two weeks later. Fartade said a complete fix was rolled out just before he made his findings public.

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

Related: Instagram Remote Account Takeover Required No Action From Victim

Related: Email Address of Instagram Users Exposed via Facebook Business Suite

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.