A researcher says he has earned $30,000 through Facebook’s bug bounty program for reporting an Instagram vulnerability that exposed private posts.
In a blog post published on Tuesday, Mayur Fartade, a researcher based in India, said the flaw could have been exploited to access private or archived posts, stories, reels and IGTV videos without following the user whose content was targeted.
The security issue was serious, but its severity was mitigated by the fact that an attacker would need to somehow obtain the ID of the targeted media.
Sending a specially crafted POST request with the targeted content’s media ID to a certain Instagram domain resulted in a display URL — this showed the targeted content — and additional data being returned.
However, the researcher said hackers could have also obtained these media IDs using brute-force attacks. They could have used brute-forced IDs to collect data, and then determine which of the content was private or archived.
The vulnerability was reported to Facebook in mid-April and it was partially patched roughly two weeks later. Fartade said a complete fix was rolled out just before he made his findings public.
Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000
Related: Instagram Remote Account Takeover Required No Action From Victim
Related: Email Address of Instagram Users Exposed via Facebook Business Suite
