An Indian developer and bug bounty hunter has been rewarded about Rs.22 lakh by the Facebook group for locating an Instagram bug that would allow anyone to look at various posts of a personal Instagram account, without following them. The bug, which has now been disclosed by the developer, Mayur Fartade on a Medium post, could have represented a serious breach of privacy resulting in targeted fraud and harassment, given the risks that it represents. The bug was first reported to Instagram on April 15, 2021, and has been patched by the corporate now.
According to Fartade, the bug could have allowed attackers or those with intents of cyber espionage to focus on select posts of certain users and gain access to them even without following the said private account.
The elevated privilege that the attackers could have gotten could are wont to see elements like “private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image.uri, Facebook linked page(if any) and other particulars, without following the user and by using Media ID,” Fartade said in his post.
The bug could essentially let anyone brute force a post’s ‘Media ID’, which is an identifier for any post made on Instagram, then use this to regenerate valid links to archived posts and personal ones also . to try to to this, attackers could use Instagram’s GraphQL tool from its developer library, enter the brute-forced Media ID of any targeted post, and run the tool to then get access to details like the link to the post and its related particulars.
The bug could potentially expose numerous sensitive details, and would have certainly qualified as a breach of privacy, since non-followers getting access to content during a private account could lead on to varied incidents like fraud , blackmail, harassment and more. Instagram has now patched the bug, which should make many regular users of the platform more relieved.