21-year-old guy awarded Rs 22 Lakh from Facebook


Facebook has awarded Rs 22 lakh to an Indian hacker for discovering malicious bugs on the Instagram app. The bug that was discovered allowed anyone to view archived posts, Stories, Reels and IGTV without following the user, even when the profile is private. Although Facebook had now addressed the issue, the bug if remained untouched would have let hackers gain illegal access to the private pictures, videos of users without following them.

Solapur-based Mayur Fartade, who possess skills like C++, Python, was able to spot the bug that allowed hackers to view targeted media on Instagram. The bug could have exposed a user’s private photos including private/archived posts, stories, reels, IGTV without following the user using Media ID. He explained in a detailed post on Medium that the attacker could also store photos, videos and details about specific media by brute-forcing Media ID’s.

Also Read:

“Data of users can be read improperly. An attacker could be able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, an attacker could be able to store the details about specific media and later filter which are private and archived,” he said in the blog post.

The information obtained from Instagram could also be used to get access to the Facebook pages attached to the Instagram account.

Fartade first reported about the Instagram bug through the Facebook Bug bounty program on April 16. He got a response from Facebook on April 19 where the social media giant requested him to provide further information about the same. On April 29, Facebook patched the vulnerability and on June 15 he was finally awarded Rs 22 Lakh for unearthing the dangerous bug.

Facebook in its letter to Fartade thanked him for his report. “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfils its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future!” the letter read.