Facebook awards $30,000 bounty for exploit exposing private Instagram content
Bounty hunter Mayur Fartade has been awarded $30,000 for discovering and reporting a vulnerability in Instagram’s privacy features. According to Fartade, he uncovered a set of vulnerable endpoints within the Instagram app that allowed hackers to view private media on the platform without following a targeted account. Fartade wrote in a Medium blog post that this vulnerability applied to archived posts, stories, and reels.
According to the researcher, if a hacker obtains a target user’s Media ID through a brute force attack, they can send a POST request to Instagram’s GraphQL endpoint. This exposes display URLs and image URLs. Therefore, the attacker could extract sensitive data concerning a private account without having to follow the user, which is one of Instagram’s biggest privacy features. The endpoint can also be used to extract the addresses of Facebook pages linked to Instagram accounts. According to Facebook, the bug was reported on April 16.