Instagram, a popular photo and video sharing platform promises that a user’s email ID and birthday will not be visible to others or be public. Though, a bug discovered by security researcher Saugat Pokharel made the platform unprotected and allowed an intruder to easily procure that private information. The bug has now been patched by Facebook within a couple of hours of being reported and was exploitable by business accounts which were given access to an experimental feature the platform was testing.
The instance of attack used Facebook’s Business Suite tool, which was available to any Facebook business account. The experimental feature, as The Verge reveals, was meant that if a Facebook business account was connected to Instagram and was involved in the test group, the Business Suite tool would show further information about a person besides any direct message. This additional data included their erstwhile private email address and birthday details. For all these to be revealed, a business user would have just send a direct message to the user on Instagram.
Security researcher Pokharel found that the attack worked on accounts which were set to private and on accounts that were to not accept DMs from the public. This is not the first bug Pokharel has spotted on Instagram and reported in the past. A Facebook spokesperson told The Verge that this recent bug was accessible for only a very short time as the research was started in October. Facebook did not specify how many users had been given access to this temporary feature but they said that it was a “small test”. Facebook added that it did not find any evidence of abuse.
Here’s Facebook’s complete statement:
A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program, we rewarded this researcher for his help in reporting this issue to us.