20 Year Old Neeraj Sharma from India got awarded with PKR 1 Crore 20 Lakhs after locating and reporting a critical bug in Instagram Reels. Sharma while hunting for bugs on the Instagram reels section found out that it contained a vulnerability that would allow any attacker to change the thumbnail of an Instagram reel, all he had to know was the media ID of that particular reel.
Now, this was a serious problem because according to Sharma, the bug not only allowed attackers to change the reel thumbnail but also restricted the original account to change the thumbnail back to its original form.
If this was found by a hacker and became frequent, things could have gotten out of hand since it could destroy the profile aesthetics of many celebrities. “In generic words, the malicious actor was able to forge thumbnails in any profile without any authorization or victim interaction. The impact was loud, wide and around heterogeneous masses of Instagram Users,” Sharma said about the situation.
Neeraj Sharma’s journey towards finding a vulnerability in Instagram was a long and difficult one, the 20-year-old tech enthusiast started off in December 2021 and spent a lot of time trying to find bugs in Instagram Ads.
After spending a lot of time on Ads, Sharma switched to finding a bug in Instagram reels and was lucky enough to find one. “After spending some time with the target I came to the point where users can edit their reel cover photo (thumbnail),” said Sharma.
Soon after spotting the bug, Sharma reached out to the Meta security team and told them about the situation. Appreciating Sharma’s contribution, the tech giant rewarded him with the $45000 (PKR 10719000).
“We greatly appreciate your detailed report and the effort you put into helping us secure our services and the people that use them. We look forward to working with you in the future,” said Meta in its email to Sharma.
The tech enthusiast wrote about the situation on a blog and even mentioned the vulnerable endpoints that he spotted.