While Instagram promises users when they sign up for the service that their email ID and birthday will not be publicly visible, security researcher Saugat Pokharel recently discovered a bug, allowing attackers to be privy to that private information easily reported The Verge. According to the report, the bug was patched after being reported to Facebook. The attack made use of Facebook’s Business Suite tool that is available in any Facebook business account.
The experimental upgrade saw any Facebook business account included in the test linked to Instagram would see the Business Suite tool showing additional information about a person, including their private email address and birthday. All business users needed to do was send a direct message on Instagram to call up the information.
As per the report, Pokharel also found that the attack worked on accounts that users had kept private in their settings and in accounts set not to accept DMs from the public.
The Verge got a statement from Facebook, where a spokesperson said that the bug was accessible only for a short period since the experiment started in October. As per the publication’s statement, Facebook said that the issue was resolved quickly, and they have not discovered any evidence of abuse. They added that through their Bug Bounty Program, they rewarded the researcher who reported the issue.