A Facebook bug exposed the birthdays and email addresses of Instagram users
Private information can be accessed simply by sending a direct message to the user.
While signing up for an Instagram account, the service promises that your email and birthday will not be publicly visible. However, a bug discovered by security researcher Saugat Pokharel made it easy for an attacker to obtain such private information. The bug, which was fixed after being reported to Facebook, was exploited by business accounts that were provided access to an experimental feature the company was testing.
The attack made use of Facebook's Business Suite tool, available for any Facebook business account. The experimental update meant that if a Facebook business account was linked to Instagram and got included in the test group, then the Business Suite tool would display additional information about a person along with any direct messages, including their supposedly private email address and their birthdate. All business users need to send a direct message on Instagram to access the information.
Pokharel found that the attack worked on accounts configured as private and accounts configured not to accept direct messages from the public. If an account was not accepting direct messages, the user might not receive any notification that their profile may have been viewed.
Pokharel, a seasoned bug hunter, also found that Instagram was not removing deleted posts in August.
A Facebook spokesperson told The Verge in a statement, that the bug was only accessible for a very short period of time, as the experiment began in October. The company does not disclose how many users were given access to the feature but says it was a "small test" and that an investigation found no evidence of abuse.
The full text of the statement is below.
One researcher reported an issue where if someone was part of a small test we ran in October for business accounts, personal information about the person they were messaging could have been revealed. This issue was quickly resolved, and we did not discover any evidence of abuse. Through our Bug Bounty Program, we reward this investigator for helping us inform us about this issue.
According to Pokharel, Facebook engineers fixed the problem within a few hours of receiving the notification.