Security researcher Saugat Pokharel has discovered a bug that exposed Instagram users’ individual email addresses and birthdays.
When signing up for an Instagram account, the service promises that your email and birthday won’t be publicly visible. The bug, which was patched after being reported to Facebook, was exploitable by business accounts that were given access to an experimental feature the company was testing.
The attack utilized Facebook’s Service Suite tool, offered to any Facebook business account. The experimental upgrade meant that if the Facebook service account was connected to an Instagram account, the Organization Suite tool would show additional info about a person together with any direct message– including their supposedly personal e-mail address and birthday. All organization users needed to do was send a direct message on Instagram to contact the info.
Pokharel discovered that the attack worked on accounts that were set to personal and accounts that were set to decline DMs from the general public. If an account did not accept DMs, the user possibly would not get any notification indicating their profile may have been seen.
In August, Saugat Pokharel also found that ‘Instagram‘ is retaining photos and private direct messages on its servers long after user deleted them. When he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.
Instagram says this was due to a bug in its system that it’s now fixed, and Pokharel has been rewarded a $6,000 bug bounty for highlighting the problem.
