Vulnerability in Instagram allowed viewing closed pages without subscribing to them


The security researcher who discovered the problems received $ 30,000 in a bounty program.

Instagram has patched a new vulnerability that allowed anyone to view archived posts and private page stories without having to subscribe to them. As security researcher Mayur Fartade, who discovered the problem, explained , “Using the Media ID, an attacker could see closed/archived posts, stories, Reels and IGTV without being subscribed to the user.”

Fartade notified the Facebook security team of the vulnerability on April 16, 2021, and released a fix on June 15. As part of the compensation program, the researcher received $ 30,000.

While an attacker would need to know the Media ID associated with a photo, video, or album to carry out an attack, Fartade demonstrated how to brute force IDs to create a POST request to a GraphQL endpoint and retrieve sensitive data.

As a result of the exploitation of the vulnerability, the corresponding Media ID data such as “likes”, comments, “saved”, display_url and image.uri could be retrieved even without subscribing to the attacked user. In addition, the attacker could find out the Facebook page associated with the attacked account.

On April 23, Fartade discovered another vulnerability that exposed the same dataset, and Facebook released a fix for it as well.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply