Jaipur: Neeraj Sharma, a 20-year-old, second-year student of BCA, was awarded a monetary reward worth Rs 38 lakhs for pointing out a bug in the social media platform Instagram's reels section. As informed by Neeraj, through the vulnerability that he was able to find, the attacker could have changed the reel thumbnails of any Instagram user by knowing just the media ID of the reel, irrespective of how strong the password of the account holder was.
Neeraj, a resident of the Sanganer area in Jaipur, is currently a student of the Poddar International College. An avid internet surfer, he started looking for bugs in the Instagram app in December 2021. He says he initially tested a few things on Instagram Ads but did not find any bugs there, so he started hunting on the Instagram reels section.
After spending some time with the target, he came to a point where users can edit their reels' cover photos, also known as a thumbnail. For testing, he changed his reel's thumbnail and was surprised to discover the bug. "I was surprised as I did not expect such a vulnerability in a subsidiary of a giant like META. I immediately reported it to Meta Security Team," Neeraj wrote in one of his blogs.
Also read: Cyber crimes: Secure your hard-earned money; never share OTP, CVV
The tech giant META, which has both Facebook and Instagram as its subsidiary companies, replied to him after three days. They asked him to give a demo of the bug he has found. Neeraj changed the thumbnail again in just 5 minutes and showed it. The company thereafter approved his report.
On May 11, he got an email from Facebook notifying an award worth $ 45000 -- which amounts to about 35 lakh rupees -- as a reward for finding and reporting the bug. An additional $4500 (approximately 3 lakhs) was given as a bonus for the delay of 4 months in awarding the reward.
Neeraj has also been given a place in the Facebook Hall of Fame. Neeraj, who thanked the company for the reward, aspires to make a career in the cyber security field. He said he shall now try and find bugs on Twitter and Google.