Security Experts:

Researcher Earns $30,000 for Instagram Flaw Exposing Private Posts

A researcher says he has earned $30,000 through Facebook’s bug bounty program for reporting an Instagram vulnerability that exposed private posts.

In a blog post published on Tuesday, Mayur Fartade, a researcher based in India, said the flaw could have been exploited to access private or archived posts, stories, reels and IGTV videos without following the user whose content was targeted.

The security issue was serious, but its severity was mitigated by the fact that an attacker would need to somehow obtain the ID of the targeted media.

Sending a specially crafted POST request with the targeted content’s media ID to a certain Instagram domain resulted in a display URL — this showed the targeted content — and additional data being returned.

Instagram data returned due to vulnerability

However, the researcher said hackers could have also obtained these media IDs using brute-force attacks. They could have used brute-forced IDs to collect data, and then determine which of the content was private or archived.

The vulnerability was reported to Facebook in mid-April and it was partially patched roughly two weeks later. Fartade said a complete fix was rolled out just before he made his findings public.

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

Related: Instagram Remote Account Takeover Required No Action From Victim

Related: Email Address of Instagram Users Exposed via Facebook Business Suite

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.