Instagram gave Indian developer $30,000 for this standout finding; here is how it all happened

On Instagram, this Indian developer has helped protect users immensely from what could have happened. If you are on social media then you are most probably worried about the security of your account. You may have numerous things in there that are of value and would not want that to be accessed by anyone else. Or, perhaps, there are photos or other details that you would want to keep hidden from the world. Well, to get back to our story, an Indian developer has helped image sharing and social networking site Instagram to patch a bug in the company's systems that allegedly allowed users to view content on the platform including archived stories, Reels and even IGTV videos, without following a user on the platform.

The developer, Mayur Fartade, came across the bug on the platform that might have allowed malicious users to view what he called “targeted media” without following a user, by making use of the Media ID. In a Medium blog post, Fartade explained how an attacker might be able to regenerate a valid CDN URL of an archived story or post. A CDN or content delivery network, is used to deliver a website's data more efficiently, while the CDN URL is the link used to serve content and data to an individual user.

After Fartade disclosed the bug to the company's security team on April 16, he states that it resolved the issue by patching the bug on June 15 – nearly two months after it was initially disclosed. Fartade states that he was awarded $30,000 from the company's Bug Bounty program for his services.

The developer also stated that another endpoint was found that could have revealed the same set of information, and that the company has resolved the issues relating to that bug discovery.

Readers can access the details of the Maharashtra-based developer's discovery of the bug on his post on Medium. Facebook has also thanked Fartade on the company's Whitehat program website. 

Fartade said that while it appears that an attacker would need to know the exact Media ID in order to be able to actually see any media, it is possible for an attacker to “brute force” the Media ID (submitting multiple attempts) to gain access to the data. However, he did not reveal any method that could be used to perform such a step.

Notably, Facebook offers a bug bounty program to allow security researchers to responsibly disclose potential security vulnerabilities in the company's software. If a researcher is able to successfully demonstrate a security flaw or bug in the code, they are rewarded by the company for their discovery. Many companies follow the same procedure to help find security flaws and stop these bugs from being sold on the dark web, where they are usually used to target users and gain access to data.