Facebook awards $30,000 bounty for exploit exposing private Instagram content

The bug allowed users to view content without following an account.

Facebook has awarded $30,000 to a researcher for reporting vulnerabilities in Instagram's privacy features. 

According to a Medium blog post penned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account. 

This included private and archived posts, stories, and reels.

If an attacker obtains a target user's Media ID, via brute-force or through other means, they could then send a POST request to Instagram's GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts.  

A further vulnerable endpoint was also found that exposed the same information. 

In both cases, an attacker could extract sensitive data concerning a private account without being accepted as a follower, a feature of Instagram designed to protect the privacy of users. In addition, the endpoints could be used to extract the addresses of Facebook pages linked to Instagram accounts. 

Fartade reported his findings for the first endpoint through the Facebook Bug bounty program on April 16. Facebook's security team then responded on April 19 with a request for further information including steps for reproduction. 

By April 22, the bug bounty hunter's report had been triaged, and a day later, Fartade found and informed Facebook of the second leaky endpoint.

Facebook patched up the vulnerable endpoints on April 29, however, Fartade says that a further fix was required to fully resolve the security issue. 

A financial reward worth $30,000 was awarded by June 15, the bug bounty hunter's first through Facebook's program. The social media giant thanked the researcher for his report.

ZDNet has reached out to Facebook and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0