When signing up for an Instagram account, the service promises that your email and birthday won’t be publicly visible.
However, security researcher from Nepal, Saugat Pokharel found a bug that can help an attacker easily get that private information. The bug was exploitable by business accounts that were given access to an experimental feature the company was testing.
The attack used Facebook’s Business Suite tool, available to any Facebook business account. The experimental upgrade meant that if a Facebook business account was linked to Instagram and was included in the test group, the Business Suite tool would show additional information about a person alongside any direct message.
This additional information included their supposedly private email address and birthday. Shockingly, all that the business users had to do was send a direct message (DM) on Instagram to get the information.
Even on private accounts
Mr. Pokharel found that the attack worked on accounts that were set to private and accounts that were set to not accept DMs from the public. If an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed.
An experienced bug hunter, Mr. Pokharel earlier found another bug in Instagram and awarded a $6,000 bug bounty payout. He found that Instagram retained photos and private direct messages on its servers long after he deleted them.
In a statement a Facebook spokesperson said that the bug was only accessible for a short period of time, as the experiment was started in October. The company doesn’t disclose how many users were given access to the feature, but it says that it was a “small test,” and that an investigation found no evidence of abuse.
Mr. Pokharel confirmed that Facebook engineers fixed the issue within a few hours of being notified.