Technology Facebook awards $30,000 bounty for exploit exposing private Instagram content
The real story behind the infamous mutiny on the H.M.S. Bounty
The British naval crew’s rebellion is legendary. But here’s what happened afterward—from marooned mutineers to court-martials.Now famous for its mutiny, the Bounty has become a big-screen legend, spawning five feature films in the 20th century alone. But the ship’s voyage, and it's unforeseen consequences, were very real.
Facebook has awarded $30,000 to a researcher for reporting vulnerabilities in Instagram's privacy features.
According to apenned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account.
Best Star Wars Day sales
May the 4th, otherwise known as Star Wars Day, has finally arrived. And fortunately, you won't have to look far, far away for deals and freebies on some of our favorite "Star Wars" merch.Amazon
This included private and archived posts, stories, and reels.
If an attacker obtains a target user's Media ID, via brute-force or through other means, they could then send a POST request to Instagram's GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts.
A further vulnerable endpoint was also found that exposed the same information.
In both cases, an attacker could extract sensitive data concerning a private account without being accepted as a follower, a feature of Instagram designed to protect the privacy of users. In addition, the endpoints could be used to extract the addresses of Facebook pages linked to Instagram accounts.
Fartade reported his findings for the first endpoint through the Facebook Bug bounty program on April 16. Facebook's security team then responded on April 19 with a request forinformation including steps for reproduction.
Portugal to allow EU and UK tourists with a negative coronavirus test
Portugal to allow EU and UK tourists with a negative coronavirus testThe announcement came a day after the Portuguese tourism authority gave the green light to UK tourists to enter the country from Monday.
By April 22, the bug bounty hunter's report had been triaged, and a day later, Fartade found and informed Facebook of the second leaky endpoint.
Facebook patched up the vulnerable endpoints on April 29, however, Fartade says that a further fix was required to fully resolve the security issue.
A financial reward worth $30,000 was awarded by June 15, the bug bounty hunter's first through Facebook's program. The social media giant thanked the researcher for his report.
ZDNet has reached out to Facebook and we will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
‘Awards Chatter’ Podcast — Bryan Cranston (‘Your Honor’) .
The revered stage and screen actor reflects on his decades of commercials and guest spots before he became famous at 43, the crazy series of events that led him to ‘Breaking Bad’ and, seven years after it ended, returning to TV in a limited series.On a recent episode of THR’s Awards Chatter podcast, the 65-year-old reflected on how he almost became a policeman instead of an actor; his many years of commercial work and guest spots — most famously as Dr.