When you register for an account within the Instagram platform, the service promises that personal information, such as: your email address and your date of birth, will not be visible to the public.
However, the flaw discovered by security researcher Saugat Pokharel made him able to easily obtain this personal information.
The bug, which was corrected after Facebook was reported, was exploitable from merchant accounts that were granted access to the experimental feature the company was testing.
The attack used the Business Suite tool available to any business Facebook account.
If you link the business account within Facebook to the account within Instagram and include it in the test suite, the Business Suite tool displays additional information about the person, including his private email address and date of birth.
All merchant account users had to do was send a direct message on Instagram to request the information.
Boukharel found that the attack was operating through private accounts and accounts that did not accept direct messages from the public.
If the account does not accept direct messages, it is possible that the user will not receive any notification indicating that their account has been viewed.
A Facebook spokesperson said in a statement: “Access to the bug was only available for a short period of time, as the trial began in October.
The company did not disclose the number of users who were granted access to the feature, but says: It was a small test, and that the investigation did not find any evidence of abuse.
According to Boucharel, who discovered in August that Instagram wasn’t deleting the deleted posts, Facebook engineers fixed the issue within a few hours of receiving notifications.
Facebook said: A researcher reported a problem, so that if someone was part of a small test we conducted in October of commercial accounts, the personal information of the person who was messaging with him could be revealed.
It added: This problem was resolved quickly, and we did not discover any evidence of abuse, and through the Bug Bounty Program we rewarded this researcher for his help in informing us of this problem.