Facebook has awarded Rs 22 lakh to an Indian hacker for discovering malicious errors in the Instagram app. The bug discovered allowed anyone to view archived posts, stories, reels and IGTV without following the user, even if the profile is private. Although Facebook had since fixed the problem, if left untouched, the bug would have allowed hackers to illegally access users’ private pictures, videos, without following them.
Mayur Fartade from Solapur, who has knowledge of C ++ and Python, was able to spot the bug that allowed hackers to view targeted media on Instagram. The bug could have revealed a user’s private photos including private / archived posts, stories, roles, IGTV without following the user using the Media ID. He explained in a detailed post on Medium that the attacker could also use brute force media IDs to save photos, videos and details about certain media.
“User data can be misread. An attacker could be able to regenerate a valid cdn url from archived stories and posts. An attacker could also use brute force media IDs to save details about certain media and later filter them that are private and archived, ”he said in the blog post.
The information received from Instagram could also be used to gain access to the Facebook pages associated with the Instagram account.
Fartade first reported on the Instagram bug on April 16 through the Facebook bug bounty program. On April 19, he received a response from Facebook asking the social media giant to provide more information on the matter. On April 29, Facebook patched the vulnerability and on June 15, it finally received Rs 22 lakh for uncovering the dangerous bug.
Facebook thanked Fartade for his report in its letter. “After reviewing this issue, we’ve decided to award you a $ 30,000 bounty. You will find an explanation of the premium amount below. Facebook fulfills its Bounty Awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We fixed this problem. Thank you again for your report. We look forward to receiving more reports from you in the future! ”Read the letter.
Fartade, who is a computer science engineering student, said he tested the Instagram app for a week but initially found no bug. But when he later delved deeper into features like insights and promotions, he was able to spot the malicious bug on Instagram. Fartade, who is only 21 years old, said this was his bounty for reporting bugs on government websites in his sophomore year. He would like to hunt bug bounties as a part-time job, but would like to become a software developer.
एक टिप्पणी भेजें