Cyber Security researcher(Mayur Fartade) from India has identified a new flaw which allowed anyone to view private/archived posts, stories, reels, IGTV without following the user using Media ID
The bug was diligently reported to the Facebook Security Team on April 16, 2021 and it was patched on June 15. As a policy on bug bounty program Facebook team has rewarded him with $30,000 for this bug.
“An attacker could able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, attacker could able to store the details about specific media and later filter which are private and archived.” posted by researcher in his Medium page.
Mayur also discovered another endpoint which exposes the same set of information. After the bug was reported, Facebook has taken measures to change both the endpoint details
Timeline
16 April 2021 : Report sent
19 April 2021 : Reply from Facebook Security Team — Need more info
19 April 2021 : Information Sent
22 April 2021 : Report Triaged
23 April 2021 : Found another endpoint disclosing the same info
29 April 2021 : Fixed
29 April 2021 : Vulnerability not completely patched. Sent the information to FB Security Team
<some messages exchanged>
15 June 2021: Fixed and awarded $30000 bounty.
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1
CyberWorkx 