Solapur based Mayur Fartade was able to spot the bug that allowed hackers to view targeted media on Instagram. Mayur reported the bug to Facebook and Instagram which if remained untouched would have let hackers gain illegal access to the private pictures, videos of users without following them.
In return, Facebook announced a reward of Rs 22 lakh to Mayur for discovering the malicious bug. The bug that was discovered allowed anyone to view archived posts, Stories, Reels and IGTV without following the user, even when the profile is private.
Mayur Fartade, a computer science student from Tatyasaheb Kore Engineering College in Kolhapur, reported the matter to Facebook and Instagram and saved it from falling into the hands of hackers. Noticing this, Facebook has announced a reward of 30,000 dollars for him.
“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he said in the blog post.
The bug of Instagram could exposed a user's private photos. With the help of Media ID, private and archived posts, stories, reels and IGTV videos of any user could be viewed. Mayur reported the error on April 16 through Facebook's Bug Bounty program. The company has corrected the mistake till June 15. Mayur, a resident of Barshi, is a computer science student. He said, he was reading articles from various security resources to learn new things. That led to an incentive to find bugs on Instagram. For two weeks I was looking at new features and testing on web app and Android app. But later when he dug deeper into the features like insights, promotions, he was able to spot the malicious bug on Instagram.