Recently, it was reported that a cyber researcher discovered a Facebook bug that exposed the personal information like email addresses and birthdays of Instagram users. Saugat Pokharel, an experienced bug hunter from Nepal, discovered the bug. Pokharel found that the attack worked on accounts that were set to private and accounts that were set to not accept DMs from the public.
“If an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed,” the report said on Friday. Facebook patched the vulnerability after being reported.
When you sign up for an Instagram account, the platform assures that the email address and birthdays of users would not be visible to other users. However, the bug that was discovered by Saugat Pokharel could have exposed the sensitive information of users to the attackers.
On the other hand, Facebook spokesperson has said that the bug was only accessible for a short period of time during a small test.
As per Pokharel, the bug came to the fore because of an experimental feature that Facebook was testing. Some of the business accounts were given access to the experimental feature that Facebook was testing and was exploitable by them. The Verge reported that the attack used Facebook’s Business Suite tool that is available to any Facebook business account.
Earlier in August, Pokharel had discovered that Instagram does not really remove the photos and videos that were deleted by users. He discovered that the information that was removed by the users were never really deleted from the platform.
When Pokharel requested a copy of photos and direct messages, he was handed over the data that he had deleted more than a year ago. Pokharel was award a 6,000 dollar bug bounty for bringing up the issue. However, Instagram was quick to fix the issue.