A serious security vulnerability in the Instagram platform potentially exposed users’ private posts and stories to non-following users. Following the bug report, Facebook fixed the flaw and awarded a hefty bounty to the researcher.
Instagram Vulnerability Exposed Private, Archived Posts
Security researcher Mayur Fartade found a security flaw affecting Instagram users. The vulnerability allowed anyone to view the private and/or archived posts and stories of other Instagram users without following.
Sharing the details in a post, the researcher explained that anyone with the “media ID” for the target media could view the content. This may include viewing archived or private photos, videos, and more.
And it wasn’t all about knowing the media ID. Rather an adversary could also brute force the ID, hence, accessing more details.
As described in the post,
An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.
Details include like/comment/save count, display_url, image.uri, Facebook linked page (if any) and other.
Besides the media ID, the researcher also found a similar vulnerability with another endpoint, “doc ID”.
Fartade has also explained the steps to reproduce the exploit in the blog post.
Facebook Fixed The Bug; Awarded $30000
Upon discovering the bug, the researcher reported the matter to Facebook on April 16, 2021. After some back-and-forth messages, the discovery of another vulnerable endpoint on April 23, 2021, and the related communication, Facebook eventually addressed the matter on April 29, 2021.
However, the researcher observed found it an incomplete fix. Hence, it took some more time for the tech giant to fix the bug.
Finally, in June 2021, Facebook patched the bug that the researcher also confirmed. Moreover, for the bug report, the very first from Fartade to Facebook, the tech giant awarded a $30,000 bounty.
Hence, Instagram users are seemingly safe from potential exploits in this regard.
Let us know your thoughts in the comments.