Facebook has rewarded an Indian hacker $30,000 (over Rs 22 lakh) for discovering bugs on its photo-sharing platform Instagram. 21-year-old Mayur Fartade from Solapur discovered and reported the bug to Facebook, which he said was allowing anyone to access a user’s archived posts, stories, reels, and IGTV videos – even if the profile was private.
Facebook has since fixed the bug, which would have let hackers gain access to private pictures, videos of users without having to follow them, accordign to a Hindustan Times report. Fartade reported the Instagram bug to Facebook via its Bug Bounty programme on April 16, 2021. Facebook responded to him on April 19, and he was rewarded on June 15, after the issue was finally resolved.
Also Read | Explained: Why Twitter lost its intermediary status in India
Fartade is a computer science engineering student and is proficient in C++ and Python. In a post on blogging platform Medium, Fartade said that that the attackers could have also stored photos, videos, and details about specific media without following the user, by using what is known as the Media-id.
“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he noted.
Also Read | British actors Paul Blackthorne, Rachel Shelley join reunion of ‘Lagaan’
Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.
Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.