According to the researcher, the private information of Instagram users was just a DM away.
A Nepal-based IT security researcher Saugat Pokharel identified a Facebook bug that exposed the private data of Instagram users, including their email addresses and birthdays. Ironically, the service promises users that such information won’t be disclosed to the public at the time of registration.
According to Pokharel who was participating in the Facebook bug bounty program, the bug made it easy for an attacker to get such private information from Instagram users. However, it is worth noting that the bug existed in Facebook’s Business Suite tool available for Facebook business accounts and offered access to a feature that the company was testing.
The experimental feature aimed to link a Facebook account to Instagram so that the suite displayed more information about the person and a DM (direct message) option, such as their birthdate and personal email address.
The attack worked on accounts that were set as private and didn’t receive DM messages from the public. Such accounts could not receive a notification if their profile were viewed.
A Facebook spokesperson revealed in an official statement to The Verge that the bug was active for a short while during an experiment conducted in October.
“A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program, we rewarded this researcher for his help in reporting this issue to us”.
After the bug was fixed, Facebook allowed the researcher to disclose its details. According to Pokharel’s tweet, he is working on a write-up detailing the issue.
This however is not the first time when Pokharel reported critical bugs in Facebook-owned Instagram. Back in August, the researcher reported that Instagram kept deleted messages and pictures of users on its servers for more than a year. The company claimed that the reported content retained due to a bug.