Cyber Security

Instagram‌ ‌Bug Allowed Anyone to View Private Accounts Without Following Them

Instagram has patched a new flaw that allowed anyone to view archived posts and stories posted by private accounts without having to follow them.

“This bug could have allowed a malicious user to view targeted media on Instagram,” Mayur Fartade said in a Medium post today. “An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.”

Fartade disclosed the issue to Facebook’s security team on April 16, 2021, following which the shortcoming was patched on June 15. He was also awarded $30,000 as part of the company’s bug bounty program.

Although the attack requires knowing the media ID associated with an image, video, or album, by brute-forcing the identifiers, Fartade demonstrated that it was possible to craft a POST request to a GraphQL endpoint and retrieve sensitive data.

As a consequence of the flaw, details such as like/comment/save count, display_url, and image.uri corresponding to the media ID could be extracted even without following the targeted user, alongside exposing the Facebook Page linked to an Instagram account.

Fartade said he also discovered a second endpoint on April 23 that revealed the same set of information. Facebook has since addressed both leaky endpoints.

Articles You May Like

iOS 17.4.1 Rolling Out With Bug Fixes, Security Updates Alongside iPadOS 17.4.1: How to Download
Elon Musk’s X Loses Lawsuit Against Hate Speech Watchdog CCDH
Behind the Scenes: The Art of Safeguarding Non-Human Identities
Apple Vision Pro to Be Available in China in 2024, CEO Tim Cook Confirms
Poco F6 Tipped to Feature Snapdragon 8s Gen 3 SoC, 50-Megapixel Sony Camera