An Instagram hacker elected to play the hero instead of the villain.
Christian Lopez Martin, a self-identified freelance security researcher, published a blog post on Monday detailing how he was able to hack Instagram through the platform’s web version in a way that would allow outsiders to gather users’ private photos. Users who only used the mobile app would not have been at risk.
Instead of abusing the bug, Martin brought his work to Facebook six months ago and reported it as part of the company’s White Hat Program, which offers financial compensation to those who flag bugs in the code. An Instagram spokesperson says that no photos were leaked, and that the bug has since been fixed.
“We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program,” a spokesperson said in a statement given to Mashable. “We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug. We have provided a bounty to the researcher to thank them for their contribution to Instagram Security.”
The bug remained in the app for six months after Martin brought it to the company’s attention, according to Forbes, although most of the issues were resolved a month after Martin’s alert. Given the fact that Instagram rolled out private messaging in December, it seems as though Instagram dodged a bullet when Martin brought the bug to light before the new feature was introduced.
A spokesperson declined to comment on Martin’s compensation for his help, but the program has a minimum $500 reward. That dollar amount may be even higher based on the “severity and creativity” of the bug. Martin told Forbes that has compensation was in the “four figure” range.
Source : Mashable