A bug during a Facebook test exposed the personal information like email addresses and birthdays of Instagram users, The Verge reported.
Saugat Pokharel, an experienced bug hunter from Nepal, has discovered the bug. The attack used Facebook’s Business Suite tool, available to any Facebook business account. Instagram has more than one billion active users.
Pokharel found that the attack worked on accounts that were set to private and accounts that were set to not accept DMs from the public.
“If an account did not accept DMs, the user potentially would not receive any notification indicating their profile may have been viewed,” the report said. Facebook has patched the vulnerability after being reported.
According to a Facebook spokesperson, the bug was only accessible for a short period of time during a small test.
“A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed,” the company spokesperson said.
Facebook resolved the issue quickly. Facebook did not discover any evidence of abuse. Facebook has already rewarded this researcher — through its Bug Bounty Program — for his assistance in reporting this issue.
Pokharel earlier found another bug in Instagram and awarded a $6,000 bug bounty payout. He found that Instagram retained photos and private direct messages on its servers long after he deleted them. The company fixed the bug and allowed Pokharel to disclose the bug issue, according to media reports.