This Facebook bug exposed Instagram users’ personal emails IDs, birthdays
While signing up for an Instagram account, the photo and video sharing platform promises that your email ID and birthday will not be visible to others or be public. However, a bug discovered by security researcher Saugat Pokharel made the platform vulnerable and allowed an attacker to easily procure that private information.
The bug has been patched by Facebook after being reported, but it was exploitable by business accounts that were given access to an experimental feature that Instagram was testing.
In this particular case, the attack used Facebook’s Business Suite tool, a feature that is available to any Facebook business account. The experimental upgrade, as The Verge explains, meant that if a Facebook business account was linked to Instagram and was included in the test group, the Business Suite tool would show additional information about a person alongside any direct message. This additional information included their erstwhile private email address and birthday details. To get this, all a business user would have to do is to send a direct message to the user on Instagram.
Security researcher Pokharel found that the attack worked on accounts that were set to private and on accounts that were set to not accept DMs from the public. If an account did not have its DMs open, the user would also not receive any notification indicating that their profile may have been viewed.
This is not the first bug Pokharel has spotted on Instagram and reported. Back in August he discovered that Instagram was not actually deleting deleted posts.
A Facebook spokesperson told The Verge that this recent bug was accessible for only a very short time as the experiment was started in October. Facebook did not mention how many users had been given access to this experimental feature but they said that it was a “small test”. Facebook added that they have not found any evidence of abuse.
Here’s Facebook’s full statement:
A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program we rewarded this researcher for his help in reporting this issue to us.
According to Pokharel, Facebook engineers fixed the issue within a few hours of being notified about it.