Facebook paid $30000 to this Indian Security Researcher for finding a critical bug in the Instagram app that allowed anyone to retrieve the media content of Private Instagram users
On 15th, June Facebook awarded a bounty of $30000 to Mayur Fartade a Bug Hunter from Maharashtra, according to his write up at medium, this bug allowed An attacker to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.
Details include like/comment/save count, display_url, image.uri, Facebook linked page(if any) and other.
He found the bug on 16 April 2021, The endpoint at Instagram API allowed a malicious user to see the posts of other users even if he doesn’t follow the user, in the write-up, he explains a media id is required to show the posts of Instagram users,
MEDIA_ID can be retrieved by brute force or guessing, and an attacker has to send a request to the Instagram API endpoint with the Media Id if the media id exists then there will be a response containing the user media content
$30000 bounty from Facebook
— Mayur Fartade (@mayurfartade) June 15, 2021