- Teqefy
- Posts
- Got Paid $30,000 for Hacking Instagram
Got Paid $30,000 for Hacking Instagram
How I Got $30K from Facebook for a Simple Instagram Hack ( Story-Time )
Escaping AI POC purgatory: Techniques for enterprise AI engineers
Many companies struggle to move generative AI from experimentation to production.
Join us Oct. 29 at 9am PT. Sam Julien, Writer's Director of Developer Relations, will share practical strategies to overcome enterprise AI engineering challenges using a full-stack approach.
Topics include:
Managing project scope
Improving accuracy with domain-specific models & graph-based RAG
Navigating AI application development
Can’t make it live? Register anyway and we’ll send you the recording.
Facebook paid $30,000 to Mayur Fartade for discovering an Instagram bug that exposed private posts and stories to anyone. In this email, we’re diving into the full story of how Mayur found this vulnerability, reported it, and ultimately earned a massive bounty.
So, grab a seat because it’s story-time, and we’re talking about how a simple security flaw led to a $30K payout. 😱
Here the story
Mayur Fartade, a security researcher from Maharashtra, comes across a vulnerability in Instagram. We’re talking about a bug that could’ve let anyone see private and archived posts, stories, and reels — all without even following the account. Sounds like a nightmare for privacy, right?
What He Found 👀
Here’s the juicy part: by using something called “media IDs” and some smart API tricks, Mayur discovered a way to unlock the details of these private posts. Likes, comments, the actual images — all up for grabs by just tweaking a few parameters. It was like he had found a hidden backdoor to Instagram's vault!
How Did He Do It? 🧑💻
Without getting too technical, here’s a breakdown:
He got his hands on the media ID (that’s the unique code for posts, reels, and stories).
Sent a simple POST request to Instagram’s ads API.
Voilà! He had access to private info like URLs, like counts, and even linked Facebook pages.
But here’s the wild twist: all of this was happening without the user ever knowing. Just imagine the kind of havoc that could’ve caused!
Facebook’s Response 📧
Mayur, being a responsible hacker (a.k.a. ethical hacker), didn’t keep this to himself. He reported the bug to Facebook’s security team on April 16th, 2021, and after a bit of back and forth, they patched it up. It took a little time, but by April 29th, they fixed it.
And guess what? After reviewing his findings, Facebook paid Mayur $30,000 for discovering this vulnerability. 🎉
Here the link of Mayur Fartade blog > Click here
Want to join Facebook Bug Bounty Program?
If you’re interested in discovering vulnerabilities and earning rewards like Mayur, the Facebook Bug Bounty Program is the perfect opportunity for you! By participating, you can help improve the security of Facebook’s platforms while also getting paid for your findings. Whether you’re a seasoned security researcher or just starting your journey in ethical hacking, there’s a place for you in this community. Ready to make a difference? Check out the program details and sign up at HackerOne - Meta Bug Bounty Program to start your journey today!
Bug Bounty rewards
Bug | Level | Reword |
---|---|---|
Page admin disclosure | Hard | $5k |
Contact point deanonimat | Hard | $10k |
Quest Persistent full secure boot bypass | Hard | $30k |
2FA Bypass | Hard | $20k |
Account Takeover | Hard | $130k |
Mobile RCE | Hard | $300kMobile RCE |
Total rewards for 2024
$1,920,559
Total rewards to date
$16,413,579
Reply