Laxman Muthiyah, who identified two bugs in one of the world’s most popular social media sites, Facebook-owned Instagram, within a month of each other.
He got rewarded $30,000 and $10,000 for finding out these bugs and showing them to Facebook and Instagram.
The 21-year-old said an attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID. He revealed that Facebook fixed the bug on June 15.
In July, Laxman Muthiyah, who is a security researcher based out of Chennai, detected a bug in the app of Instagram, which fetched him $30,000 in reward. And now, he found a bug in Facebook-owned Instagram too. Both the bugs that he detected are quite similar to each other.
In his blog, Muthiyah says that he identified a vulnerability in the app which enabled him to hack into any account without ‘consent permission.’ He also says that Instagram and Facebook have fixed the bug, and it doesn’t exist anymore.
Facebook admitted to the presence of the bug in a message to Muthiyah, saying, “You identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to ten attempt recovery.”
The platform, this time, awarded him with $10,000 as a part of their bug bounty programme. Facebook offers a bounty, that is a cash prize if they detect a bug in their platforms, such as Facebook or Instagram.