This Facebook bug exposed Instagram users’ personal emails IDs, birthdays

Thanks to the bug, all this private information could be accessed just by sending the user a direct message (DM). Fortunately, it has been fixed.

By: HT TECH
| Updated on: Aug 21 2022, 13:30 IST
A bug discovered by security researcher Saugat Pokharel made Instagram vulnerable and allowed an attacker to easily procure private information.
A bug discovered by security researcher Saugat Pokharel made Instagram vulnerable and allowed an attacker to easily procure private information. (Pixabay)

While signing up for an Instagram account, the photo and video sharing platform promises that your email ID and birthday will not be visible to others or be public. However, a bug discovered by security researcher Saugat Pokharel made the platform vulnerable and allowed an attacker to easily procure that private information.

The bug has been patched by Facebook after being reported, but it was exploitable by business accounts that were given access to an experimental feature that Instagram was testing.

You may be interested in

MobilesTablets Laptops
7% OFF
Apple iPhone 15 Pro Max
  • Black Titanium
  • 8 GB RAM
  • 256 GB Storage
23% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
Google Pixel 8 Pro
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage

In this particular case, the attack used Facebook's Business Suite tool, a feature that is available to any Facebook business account. The experimental upgrade, as The Verge explains, meant that if a Facebook business account was linked to Instagram and was included in the test group, the Business Suite tool would show additional information about a person alongside any direct message. This additional information included their erstwhile private email address and birthday details. To get this, all a business user would have to do is to send a direct message to the user on Instagram.

Also read
Looking for a smartphone? To check mobile finder click here.

Security researcher Pokharel found that the attack worked on accounts that were set to private and on accounts that were set to not accept DMs from the public. If an account did not have its DMs open, the user would also not receive any notification indicating that their profile may have been viewed.

This is not the first bug Pokharel has spotted on Instagram and reported. Back in August he discovered that Instagram was not actually deleting deleted posts.

Also Read: Instagram kept deleted photos, messages on its servers for more than a year

A Facebook spokesperson told The Verge that this recent bug was accessible for only a very short time as the experiment was started in October. Facebook did not mention how many users had been given access to this experimental feature but they said that it was a “small test”. Facebook added that they have not found any evidence of abuse.

Here's Facebook's full statement:

A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program we rewarded this researcher for his help in reporting this issue to us.

According to Pokharel, Facebook engineers fixed the issue within a few hours of being notified about it.

Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 19 Dec, 18:57 IST
NEXT ARTICLE BEGINS