Facebook Awards 30 000 Bounty For Exploit Exposing Private Instagram Content
According to a Medium blog post penned by bug bounty hunter Mayur Fartade on Tuesday, a set of vulnerable endpoints in the Instagram app could have allowed attackers to view private media on the platform without following a target account. This included private and archived posts, stories, and reels. If an attacker obtains a target user’s Media ID, via brute-force or through other means, they could then send a POST request to Instagram’s GraphQL endpoint, which exposed display URLs and image URLs, alongside records including like and save counts....