Instagram has rewarded an Indian Student from Jaipur, Neeraj Sharma, a reward of $45000 (Rs 38 lakh) for finding a thumbnail bug and saving multiple Instagram accounts from getting hacked. Neeraj Sharma wrote in a Medium blog post; “This thumbnail bug allowed malicious actor/s to change the thumbnail of any reels on Instagram. To perform this attack, only the Media ID of the target user’s reel was required.”
Thumbnail Bug: Millions of Accounts were Saved by Neeraj Sharma
Sharma said that when he learned about the thumbnail bug he immediately reported it to the Meta Security Team and upon finding it authentic, he was rewarded with a cash price of $45000 for this work. Sharma’s post details the process that how he found the bug in Instagram reels. He said; “In December last year, I started finding fault with my Instagram account. After a lot of hard work, on the morning of January 31, I came to know about the (bug) mistake on Instagram. After this, I sent a report to Facebook about this mistake on Instagram at night and received a reply from them after three days. It asked me to share a demo.”
Sharma shared the demo with them and on the night of 11th May, he got a mail from Facebook in which they informed him that he had been given a reward of $ 45,000. Moreover, in lieu of the delay of four months in giving the reward, Facebook also gave him an additional $4500 as a bonus. Neeraj thanked the Meta team for their kind gesture and the huge bounty reward.
Meta Bug Bounty Program
Meta runs a bug bounty program for programmers to find bugs and issues within Meta platforms and report them to the security team. In turn, the company offers rewards to external programmers for finding security vulnerabilities in Meta technologies. Meta has listed the process of reporting a bug in its info section, which reads; “Identify a vulnerability in our services or infrastructure which creates a security or privacy risk and report the vulnerability upon discovery or as soon as is feasible.” It further added; “Submit your report via our “Report a security vulnerability” form and respond to any follow-up requests from our staff for updates or further information.”