This Indian Developer Wins Rs 22 Lakh As Bug Bounty From Instagram! What He Found?

On April 15, 2021, an Indian developer reported a bug to the Facebook-owned Instagram, which could allow anyone to view and access content of private Instagram accounts, without having followed them.
On April 15, 2021, an Indian developer reported a bug to the Facebook-owned Instagram, which could allow anyone to view and access content of private Instagram accounts, without having followed them.

Instagram has a ‘privacy’ feature, which allows users to keep their Instagram accounts private from the ones not following their accounts. Everyone sure knows about it.

On April 15, 2021, an Indian developer reported a bug to the Facebook-owned Instagram, which could allow anyone to view and access content of private Instagram accounts, without having followed them.

This could lead to major privacy breach, followed by identity theft and harassment, as the individual could gain access to numerous sensitive details besides blackmail.

However, thanks to this Indian developer and ‘bounty hunter’, Instagram has now taken action and fixed this potential bug, rewarding the developer with an amount of Rs 22 lakh.

Indian Developer Mayur Fartade

Mayur Fartade found out a potential Instagram bug, which could allow anyone to view posts, stories, archives, reels and other content and information of private IG account holders.

While Fartade reported this buy to Instagram on April 15, 2021, he disclosed the same on a Medium post recently, while the social media platform has now patched the bug.

Fartade believes that the bug could have led to cyber espionage by cyber attackers on certain users.

It would have also allowed unwanted parties/individuals to gain access to private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image.uri, Facebook linked page(if any) and other particulars, without following the user and by using Media ID, all of which are major breach of privacy on Instagram.

According to a wire news feed, ‘the bug could essentially let anyone brute force a post’s ‘Media ID’, which is an identifier for any post made on Instagram, and then use this to regenerate valid links to archived posts and private ones as well.’

For this to happen, attackers could use Instagram’s GraphQL tool from its developer library, enter the brute-forced Media ID of any targeted post, and run the tool to then get access to details such as the link to the post and its related particulars.

Comments are closed, but trackbacks and pingbacks are open.

who's online