Instagram has fixed a new bug that allowed anyone to access private accounts’ archived posts and stories without needing to follow them.
On April 16, 2021, Fartade reported the problem to Facebook’s security team, and the Instagram bug was fixed on June 15.
As part of the company’s bug bounty program, he was also paid $30,000.
“This bug could have allowed a malicious user to view targeted media on Instagram,” Mayur Fartade said in a Medium post today. “An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.”
Despite the fact that the attack necessitates knowledge of the media ID associated with an image, video, or album, Fartade demonstrated that by brute-forcing the identifiers, it was possible to build a POST request to a GraphQL API and extract sensitive data.
Details like like/comment/save count, display url, and image.uri pertaining to the media ID may be collected even without following the targeted person as a result of the issue, as well as exposing the Facebook Page linked to an Instagram account.
On April 23, Fartade said he identified a second endpoint that revealed the identical piece of data.
Both of the leaking endpoints have since been fixed by Facebook.
Facebook, like a lot of tech companies, offers a bug bounty program that allows security experts to responsibly disclose suspected security flaws in the company’s software.
A researcher is rewarded by the company if they are able to effectively demonstrate a security weakness or bug in the code.
Many businesses employ the same process to uncover security holes and prevent them from being sold on the dark web, where they are typically used to target people and obtain access to data.