Facebook has awarded a cash prize of ₹22 lakh to a 21-year-old hacker from Solapur for identifying a malicious virus on its Instagram app which could have given hackers access to private pictures and videos of users.
Reports said the bug if not reported and addressed could have helped hackers break into profiles of users without following them and access their posts, stories, reels and IGTV, by brute-forcing Media IDs.
Explaining the threat in a blogpost, the hacker Mayur Fartade, said the information obtained from Instagram could be used to gain access to Facebook accounts or pages linked to the gram.
“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories and posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he wrote.
Mayur, who is skilled in C++ and Python first tipped Facebook about the incident through the Facebook Bug bounty program on April 16, following which the social media platform requested him to give a detailed explanation on the threat on April 19. Facebook fixed the bug on April 29 and rewarded Mayur on June 15.
The social media platform also explained Mayur contribution in a letter of thanks.
“After reviewing the issue, we have decided to award you a bounty of $30,000. Below is an explanation of the bounty amount. Facebook fulfils its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.
A graduate in computer science, Mayur reportedly found the bug after a thorough check up of features like insights and promotions on the Instagram app.