Facebook-owned Instagram was hit by a bug that reportedly revealed users' private information such as email ID and birthday. At the time of signing up, the social media platform promises users' that their contact info and date of birth would not be disclosed for security reasons. According to The Verge citing security researcher Saugat Pokharel, the bug was exploitable by Facebook business accounts that were given access to an experimental feature that Instagram was testing. The report adds that bad actors, in this case, could leverage the Facebook Business Suite tool that is available to business accounts, to view information such as date of birth and email address. Although this personal data might seem insignificant, if accessed, attackers could carry out phishing scams or run other malicious campaigns that can even compromise the device.
The report further notes that if a Facebook business account was linked to Instagram and was included in the test group, attackers could view additional information about a person alongside any direct message via due to the bug on Business Suite tool. "All business users had to do was send a direct message on Instagram to call up the information," it noted. The attack also reportedly worked on accounts that were set to private or did not accept DMs from the public. The report highlights that if an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed.
However, Facebook in a statement said that the bug was only accessible for a short period of time. The company, although, did not disclose how many business users had access to the experimental feature, the social media giant adds that it was a "small test," and that an investigation found no evidence of abuse. "A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Programme, we rewarded this researcher for his help in reporting this issue to us," the statement given to The Verge read.
Interestingly, back in August, Pokharel also discovered that Instagram stored deleted messages and photos of its users.