An Indian hacker has been paid Rs 22 lakh by Facebook for identifying dangerous flaws in the Instagram app. Even if the user’s profile was private, the flaw permitted anyone to access archived posts, Stories, Reels, and IGTV without having to follow them. Although Facebook has already fixed the problem, the glitch may have allowed hackers to get illicit access to users’ private photos and videos if it had remained unfixed.
Solapur-based Mayur Fartade, a C++ and Python expert, discovered the issue that allowed hackers to view specific Instagram content. Without following the person using Media ID, the flaw might have exposed a user’s private photographs, including private/archived posts, stories, reels, and IGTV. By brute-forcing Media IDs, the attacker could also store photographs, videos, and details about individual media, he revealed in a thorough Medium post.
“User data can be read incorrectly. An attacker could produce valid cdn urls for archived stories and posts. An attacker might also collect facts about certain media and later filter which are private and preserved by brute-forcing Media IDs, he said in the blog post.
The information gathered from Instagram might potentially be used to gain access to the Instagram account’s Facebook sites.