Through a bug in the Facebook Business platform, it was possible to access the personal information of Instagram users simply by using a tool made available by the social network.
The error was revealed by security researcher Saugat Pokharel, who reported it to Facebook. In short, on the portal elements such as the email address and birthday are not visible to other users, but through this flaw, it was possible to access them simply through a business account.
Facebook found no evidence of abuse
The attack used the business tools made available by the Menlo Park company for the management of Facebook and Instagram accounts and, in particular, those belonging to the experimental versions of these tools.
Through these functions, it was in fact possible to view additional information of the accounts including, in fact, email address and date of birth. The data was displayed when users sent a private message on Instagram to a business page (or vice versa) with the experimental tools active: When this happens, some information about the user is displayed next to the message, but personal details such as email should not be shown and date of birth.
According to Pokharel, the attack worked on both those who set the account as private and who didn’t accept DMs from anyone. Indeed, in the latter case, the user did not even receive a notification to notify him of the contact from the business page. “This problem was resolved quickly and we found no evidence of abuse,” Facebook said in a statement.
“Through our bug research program, we have rewarded this researcher for helping us.” According to Pokharel, the social network’s engineers fixed the flaw within hours of sending the report.