✨ Non-members can read this write-up for free using this link.

Hi everyone, this is Shubham Bhamare. Today, I’m going to share the story of one of the most creative and painful findings of my bug hunting journey. The target? Instagram, which of course means Meta. 😅

This one is special, not because of the bounty (spoiler: there isn’t one 🥲), but because of everything around it. A last-minute hunt on New Year’s Eve just to keep a streak alive. A bug that could silently reactivate someone’s Instagram account without them ever touching their phone. A Meta security analyst who told me it would get a bounty. And then… well. You’ll see. 😅

Let’s get into it! 🚀

Long story short:

Let me set the scene before we get into the bug. 😄

I’ve been on the Meta Whitehat Hall of Fame for 4 consecutive years: 2018, 2019, 2020, and 2021.