Facebook awards $30,000 bounty for exploit exposing private Instagram content | ZDNet

Amelia Podder

3 years ago

Facebook has awarded $30,000 to a researcher for reporting vulnerabilities in Instagram’s privacy features.

According to a Medium blog post penned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account.

This included private and archived posts, stories, and reels.

If an attacker obtains a target user’s Media ID, via brute-force or through other means, they could then send a POST request to Instagram’s GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts.

A further vulnerable endpoint was also found that exposed the same information.

In both cases, an attacker could extract sensitive data concerning a private account without being accepted as a follower, a feature of Instagram designed to protect the privacy of users. In addition, the endpoints could be used to extract the addresses of Facebook pages linked to Instagram accounts.

Fartade reported his findings for the first endpoint through the Facebook Bug bounty program on April 16. Facebook’s security team then responded on April 19 with a request for further information including steps for reproduction.

By April 22, the bug bounty hunter’s report had been triaged, and a day later, Fartade found and informed Facebook of the second leaky endpoint.

Facebook patched up the vulnerable endpoints on April 29, however, Fartade says that a further fix was required to fully resolve the security issue.

A financial reward worth $30,000 was awarded by June 15, the bug bounty hunter’s first through Facebook’s program. The social media giant thanked the researcher for his report.

ZDNet has reached out to Facebook and we will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Stay connected with us on social media platform for instant update click here to join our T witter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@newsazi.com. The content will be deleted within 24 hours.