Instagram - Apps on Google Play

Cyber Security researcher(Mayur Fartade) from India has identified a new flaw which allowed anyone to view private/archived posts, stories, reels, IGTV without following the user using Media ID

The bug was diligently reported to the Facebook Security Team on  April 16, 2021 and it was patched on June 15. As a policy on bug bounty program Facebook team has rewarded him with $30,000 for this bug.

An attacker could able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, attacker could able to store the details about specific media and later filter which are private and archived.” posted by researcher in his Medium page.

Mayur also discovered another endpoint which exposes the same set of information. After the bug was reported, Facebook has taken measures to change both the endpoint details


16 April 2021 : Report sent
19 April 2021 : Reply from Facebook Security Team — Need more info
19 April 2021 : Information Sent
22 April 2021 : Report Triaged
23 April 2021 : Found another endpoint disclosing the same info
29 April 2021 : Fixed
29 April 2021 : Vulnerability not completely patched. Sent the information to FB Security Team
<some messages exchanged>
15 June 2021: Fixed and awarded $30000 bounty.

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s