Instagram: everyone could access private profiles!
While Roger Waters gently tells Mark Zuckerberg to look elsewhere to use a Pink Floyd song in an Instagram ad, IT security researchers continue to scour the app for a possible security breach. And precisely, the bug hunter Mayur Fartade has found a beautiful one, a beautiful critical and embarrassing flaw for Facebook, Instagram’s parent company.
According to his blog, the expert found a series of vulnerable endpoints in the Instagram app that allows attackers accessing private media on the platform, like Stories, Profiles or Reels, without being subscribed to the accounts in question. If a hacker obtains the media ID of a target user, either through a brute force attack or other hacking techniques, it became possible to send a POST request to Instagram’s GraphQL endpoint.
As a result, the attacker would be able access a user’s private and archived media, as well as a lot of data like likes and comments for example. In addition, the hacker was also able to retrieve the addresses of Facebook pages linked to Instagram accounts, could in fact retrieve more information on the owner of the targeted account.
Also read: Instagram is accused of spying on you via your smartphone camera!
Private Instagram content was publicly accessible https://t.co/HM5Sho19kW
– The Virus Info & Pirates Mag ‘(back!) (@ACBM_COM) June 16, 2021
$ 30,000 as a reward for the researcher
The computer security researcher shared his findings via Facebook’s bug-hunting program on April 16, 2021. Facebook took his revelations seriously and began its investigation to confirm or refute Mayur Fartade’s theory. Meanwhile, the expert found additional vulnerable endpoints within the application.
Two weeks later, Facebook finally recognized the researcher’s work and quickly released a patch to fix these vulnerable endpoints. Bug hunting program requires, Mayur Fartade was rewarded for his expertise with a check for $ 30,000. A bit stingy no, given the seriousness of these flaws? However, it is better than nothing. And especially better than a trial.
” Your report brought to light a scenario in which a malicious user could access specific media on Instagram. This scenario required the attacker to know the specific media ID of a user. We fixed this problem. Thanks again for your report. We will look forward to your next reports in the future! “, Facebook said in a post to Mayur Fartade.
You surprise me.