Facebook has fixed a bug that exposed Instagram users’ personal information such as their email addresses and birthdays.
The bug was discovered by a security researcher named Saugat Pokharel. The bug could have been exploited by business accounts that were given access to an experimental feature that Facebook was testing.
If a Facebook account was linked to Instagram and was part of the test group, they would be able to find personal information about users. Business accounts just had to send a direct message on Instagram to get the information, including their email address and birthday, which are both supposed to be private under Instagram’s policies.
Pokharel found that this would work even if a DM was sent to a private account that does not accept messages from people they don’t follow.
A spokesperson from Facebook told The Verge that “a researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed.”
“This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program we rewarded this researcher for his help in reporting this issue to us.”
Pokharel notes that Facebook managed to fix the issue within hours of being notified of the bug.
Source: The Verge