- Facebook vulnerability has exposed the personal email addresses and birthdays of Instagram users.
- The bug that was discovered by Saugat Pokharel could have exposed the sensitive information of users to the attackers.
- As per Pokharel, the bug came to the fore because of an experimental feature that Facebook was testing.
A cyber researcher has discovered a Facebook vulnerability that has exposed the personal email addresses and birthdays of Instagram users. When you sign up for an Instagram account, the platform assures that the email address and birthdays of users would not be visible to other users. However, the bug that was discovered by Saugat Pokharel could have exposed the sensitive information of users to the attackers.
As per Pokharel, the bug came to the fore because of an experimental feature that Facebook was testing. Some of the business accounts were given access to the experimental feature that Facebook was testing and was exploitable by them. The Verge reported that the attack used Facebook's Business Suite tool that is available to any Facebook business account.
"If an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed," the report by Saugat said on Friday. Pokharel also revealed that the bug was only exposed for a small duration as the experiment started in October. He also mentioned that Facebook was quick to fix the issues as soon as it was reported.
Reacting to the whole incident, a Facebook spokesperson told The Verge, "A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program, we rewarded this researcher for his help in reporting this issue to us."
Earlier in August, Pokharel had discovered that Instagram does not really remove the photos and videos that were deleted by users. It discovered that the information that was removed by the users were never really deleted from the platform. When Pokharel requested a copy of photos and direct messages, he was handed over the data that he had deleted more than a year ago. Pokharel was award a $6,000 bug bounty for bringing up the issue.
However, Instagram was quick to fix the issue.
"The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We've fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us," a spokesperson had told TechCrunch.