New Delhi: An Indian ethical hacker has won Rs 22 lakh for discovering and reporting malicious bugs in the Facebook-owned photo-sharing platform, Instagram.
Solapur-based Mayur Fartade discovered and reported to Facebook that a bug in Instagram is erroneously allowing anyone to access a user’s archived posts, Stories, Reels and IGTV, even if the profile is set to private.
Facebook fixed the bug on June 15. Using the flaw, hackers would have gained illegal access to content posted by users without actually following them. Fartade spotted the bug that could have exposed private photos of several Instagram accounts.
He first reported about the Instagram bug to Facebook via its Bug bounty programme on April 16, 2021. The social media giant responded to him on April 19, seeking more information about the bug, and he was finally awarded Rs 22 Lakh.
According to media reports, Fartade is a computer science engineering student and possess technical skills such as C++ and Python, In a post on blogging platform Medium, Fartade said that that the attackers could have also stored photos, videos and details about specific media by brute-forcing Media ID’s using the bug.
“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he noted. Also Read: Twitter loses 'intermediary' status in India over non-compliance with new IT rules: Sources
“After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfils its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” Facebook said in a letter to Fartade. Also Read: Nomoskaar Assam! Koo launches app in Assamese as Twitter comes under fire