A Facebook bug has been exposing Instagram users’ email addresses and birthdays
A cyber researcher Saugat Pokharel has found out that a Facebook vulnerability has exposed the personal email addresses and birthdays of Instagram users. When a user signs up for an Instagram account, the platform assures that the email address and birthdays will not be visible to other users. But the bug that was discovered by Saugat Pokharel could expose the sensitive information of users to the attackers.
As per Pokharel, the bug came to the forefront because of an experimental feature that Facebook was testing. The bug, which was patched after being reported to Facebook, was exploitable by business accounts that were given access to the experimental feature that the company was testing. It was reported that the attack used Facebook’s Business Suite tool that is available to any Facebook business account.
Pokharel revealed that the attack worked on accounts that were set to private and on accounts that were set to not accept DMs from the public. If an account did not accept DMs, the user possibly will not receive any notification indicating that their profile may have been viewed.
However, Pokharel also revealed that the experiment started in October 2020 thus the bug was only exposed for a small duration. He also mentioned that Facebook was quick to fix the bug as soon as it was reported.
Reacting to the whole incident, a Facebook spokesperson stated, “A researcher reported the issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved, and we did not discover any evidence of abuse. Through our Bug Bounty Program, we rewarded this researcher for his help in reporting this issue to us.” Pokharel was awarded a USD 6,000 bug bounty for bringing up the issue.
Earlier in August, Pokharel had also discovered that Instagram does not really remove the photos and videos already deleted by users. It discovered that the information that was removed by the users were never really removed from the platform. When Pokharel requested a copy of photos and direct messages, he was handed over the data that he had deleted more than a year ago.
A spokesperson said, “The researcher reported the issue where someone’s deleted Instagram images and messages were included in a copy of their information if they used Download Your Information tool on Instagram. We have fixed the issue and we thank the researcher for reporting it to us.”
According to Pokharel, Facebook was fast and it’s engineers fixed the issue within just a few hours of being notified.