An Indian Hacker, Mayur Fartade from Maharashtra was able to spot malicious bugs on the Instagram app. This bug allows a malicious user to view targeted media on Instagram.
It allowed anyone to view details like private/archived posts, stories, reels, IGTV without following the user using Media ID. Details also include like/comment/save count, display_url, image.uri, Facebook linked page(if any) etc.
Facebook had now addressed the issue, the bug if remained unfixed would have let hackers gain illegal access to the private pictures, videos of users without following them.
Fartade explains the impact saying, “Data of users can be read improperly. An attacker could able to regenerate valid CDN url of archived stories & posts. Also by brute-forcing Media ID’s, the attacker could able to store the details about specific media and later filter which are private and archived”.
Through the information obtained from Instagram, it is also possible to get access to the Facebook pages attached to the Instagram account.
Fartade Reports the Bug to Facebook
Mayur Fartade is a computer science engineering student, said that he was testing the Instagram app for a week but did not locate any bug at first. But later when he analysed deeper into the features like insights, promotions, he was able to spot the malicious bug on Instagram.
Fartade first reported the Instagram bug through the Facebook Bug bounty program on April 16. He got a response from Facebook Security Team on April 19 where they requested him to provide further information about the same.
On April 29, Facebook patched the vulnerability and Fartade was finally awarded about Rs 22 Lakh for detecting the dangerous bug.
Facebook thanked Fartade for his report, “Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.
From the analysis, it is clear that the bug could have potentially exposed several sensitive details, and would have certainly qualified as a breach of privacy since non-followers getting access to content in a private account.
This could lead to various incidents such as identity theft, blackmail, harassment, and much more. Since the bug is fixed, it makes many regular users of the platform more relieved.