When you sign up for an Instagram account, the service guarantees that your email and birthday will not be publicly visible. A bug discovered by security researcher Saugat Pokharel, however, made it so that an attacker could easily access that private information. The beast, which was detained after being reported to Facebook, was used by business accounts that gained access to an experimental feature the company was testing.
The attack used the Facebook Business Suite tool, which was available with any Facebook business account. The experimental update meant that if a Facebook business account was linked to Instagram and included in the test group, the Business Suite tool would reveal additional information about an individual along with any direct message – enter their private email address and birthday. Not all business users had to post a direct message on Instagram to call out the information.
Pokharel found that the attack worked on privately sent accounts and accounts set up so as not to accept DMs from the public. If DMs are not accepted, the user may not receive any notification indicating that their profile may have been viewed.
Pokharel, who was an experienced bug hunter, also discovered that Instagram did not delete posts deleted in August.
In a statement given to The edge, a Facebook spokeswoman said the cuckoo was only available for a short time, as the trial began in October. The company will not disclose how many users accessed the feature, but says it was a “small test”, and an investigation found no evidence of abuse.
The full text of the statement is below.
A researcher described a case where, if someone was part of a small test we ran in October for business accounts, the personal information of the person to whom they were sending messages. This issue was resolved quickly, and we found no evidence of abuse. Through our Bug Bounty program we rewarded this researcher for helping us report this issue.
According to Pokharel, Facebook engineers settled the case within hours of being notified.
Updated Dec 18, 6:20 PM ET: A point in the second paragraph clarified that only accounts included in the test had access to the information.