Blog

Jun 16, 2021

Facebook awards $30,000 bounty for exploit exposing private Instagram content

Posted by in category: cybercrime/malcode

According to a Medium blog post penned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account.

This included private and archived posts, stories, and reels.

If an attacker obtains a target user’s Media ID, via brute-force or through other means, they could then send a POST request to Instagram’s GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts.

Comments are closed.