Facebook awarded a researcher $ 30,000 for reporting vulnerabilities in Instagram’s privacy features.
According to a Medium blog post Written by bug hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account. This included private and archived posts, Stories and Reels.
If an attacker obtained the media ID of a target user, either by brute force or other means, they could then send a POST request to Instagram’s GraphQL endpoint, which exposed display URLs and URLs. image, as well as records including likes and accounts.
Another vulnerable endpoint was also found, which exposed the same information.
Extract sensitive data from a private account
In either case, an attacker could have extracted sensitive data about a private account, without being accepted as a follower, a feature of Instagram designed to protect user privacy. In addition, endpoints could be used to extract addresses from Facebook pages linked to Instagram accounts.
Mayur Fartade reported his findings for the first access point through Facebook’s Bug bounty program on April 16. Facebook’s security team then responded on April 19 with a request additional information, and in particular the stages of reproduction.
On April 22, the ethical hacker’s report had been analyzed, and a day later Mayur Fartade found and notified Facebook of the leaked Second Endpoint.
Reward of $ 30,000
Facebook fixed the vulnerable endpoints on April 29, but Mayur Fartade says another patch is needed to completely address the security issue.
A financial award worth $ 30,000 was awarded to him on June 15, the first bug hunter under the Facebook program. The social media giant thanked the researcher for his report.
Source : ZDNet.com
–