Live
- Where are the two crore jobs that were promised, asks Congress chief Kharge as Kerala prepares to vote
- Ericsson, IIT Kanpur's tech incubator F.I.R.S.T to drive financial solution innovations
- WhatsApp Update: Admins Can Soon Hide Specific Groups From Comunity List
- Massive Rally Held in Southern Constituency as Jana Sena, TDP and BJP Unite for Election Campaign
- Former MLA Gouru Charitha Reddy Holds Road Show and Meeting Program Ahead of General Elections
- YSR Congress Party MLA Candidate Conducts Election Campaign in Visakhapatnam
- Fan Support Grows for Panyam MLA Katasani Rambhupal Reddy in Election Campaign
- Repolling underway in eight polling stations in Arunachal amid heavy security
- Indian IT services sector to see 2nd-consecutive year of muted revenue growth: Report
- Under-construction bridge collapses in Peddapalli
A Facebook bug exposed the birthdays and email addresses of Instagram users
A Facebook bug exposed the birthdays and email addresses of Instagram users
Private information can be accessed simply by sending a direct message to the user.
While signing up for an Instagram account, the service promises that your email and birthday will not be publicly visible. However, a bug discovered by security researcher Saugat Pokharel made it easy for an attacker to obtain such private information. The bug, which was fixed after being reported to Facebook, was exploited by business accounts that were provided access to an experimental feature the company was testing.
The attack made use of Facebook's Business Suite tool, available for any Facebook business account. The experimental update meant that if a Facebook business account was linked to Instagram and got included in the test group, then the Business Suite tool would display additional information about a person along with any direct messages, including their supposedly private email address and their birthdate. All business users need to send a direct message on Instagram to access the information.
Pokharel found that the attack worked on accounts configured as private and accounts configured not to accept direct messages from the public. If an account was not accepting direct messages, the user might not receive any notification that their profile may have been viewed.
Pokharel, a seasoned bug hunter, also found that Instagram was not removing deleted posts in August.
A Facebook spokesperson told The Verge in a statement, that the bug was only accessible for a very short period of time, as the experiment began in October. The company does not disclose how many users were given access to the feature but says it was a "small test" and that an investigation found no evidence of abuse.
The full text of the statement is below.
One researcher reported an issue where if someone was part of a small test we ran in October for business accounts, personal information about the person they were messaging could have been revealed. This issue was quickly resolved, and we did not discover any evidence of abuse. Through our Bug Bounty Program, we reward this investigator for helping us inform us about this issue.
According to Pokharel, Facebook engineers fixed the problem within a few hours of receiving the notification.
