Ayushi Mehta
A developer from India had been awarded $30,000 for spotting a bug in the system which could give other users the potential to view archived posts, Stories, Reels, and IGTV of the users without following them— even when the user’s profile is private.
The Indian developer who is primarily from Maharashtra gave detailed information regarding the spotted bug in one of his self-written blog posts on an online tech, news, and media platform- Medium. The developer who spotted and resolved the bug is named Mayur Fartade. In the post, he said that the bug can also allow a potential attacker to “regenerate valid CDN URL of archived stories and posts. Also by brute-forcing Media IDs, the attacker was able to store the details about specific media and later filters which are private and archived.”
The Maharashtra-based developer stated that he reported the bug to the security team at Instagram on the 16th of April, 2021. According to his statement, the procedure of the bug getting fixed and resolved ended on June 15th, almost two months after the bug was reported.
Mayur states that he was awarded a prize of $30,000 from the Facebook-backed social media platform- Instagram’s Bug Bounty program for his services in fixing the bug, which is fulfilled through Bugcrowd and HackerOne.
The discovered bug in the system might not look as dangerous as it is at the outset, as it was absolutely required for the attacker to know the exact media ID which was associated with the Image, or the video or any album which was posted either on Feed, or Stories, or Reels or IGTV or kept in the Story Archives, by brute-forcing the identifiers.
Mayur however disclosed that it was indeed possible to create a POST request to a GraphQL endpoint and retrieve and recover these types of sensitive data.
The India-based developer also made a statement saying that yet another endpoint was found that could have exposed the same set of information and data. The Facebook-backed social media company Instagram has however resolved the issues which relate to the discovery of that bug too.
Mayur, in his post on Medium, gave a detailed timeline from the discovering of the bug to solving it. It starts from April 16, when the report was sent to the company’s security team, and ended on June 15, with Mayur receiving an award of $30,000.