When signing up for an Instagram account, the service promises that your email and birthday won’t be publicly visible. A bug discovered by security researcher Saugat Pokharel, however, made it so that an attacker could easily get that private information. The bug, which was patched after being reported to Facebook, was exploitable by business accounts that were given access to an experimental feature the company was testing.
The attack worked on private accounts, and ones that don’t accept public DMs
The attack used Facebook’s Business Suite tool, available to any Facebook business account. The experimental upgrade meant that if a Facebook business account was linked to Instagram and was included in the test group, the Business Suite tool would show additional information about a person alongside any direct message — including their supposedly private email address and birthday. All business users had to do was send a direct message on Instagram to call up the information.
Pokharel found that the attack worked on accounts that were set to private and accounts that were set to not accept DMs from the public. If an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed.
An experienced bug hunter, Pokharel also discovered that Instagram wasn’t actually deleting deleted posts back in August.
In a statement provided to The Verge, a Facebook spokesperson said that the bug was only accessible for a short period of time, as the experiment was started in October. The company doesn’t disclose how many users were given access to the feature, but it says that it was a “small test,” and that an investigation found no evidence of abuse.
The full text of the statement is below.
A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program we rewarded this researcher for his help in reporting this issue to us.
According to Pokharel, Facebook engineers fixed the issue within a few hours of being notified.
Update December 18, 6:20 PM ET: Clarified a point in the second paragraph that only accounts that were included in the experiment had access to the information.