When registering for an account within platform Instagram, the service promises that personal information, such as: your email address and your date of birth, will not be visible to the public.
However, the flaw discovered by a security researcher (Sojat Boukharel) Saugat Pokharel Make him able to easily obtain that personal information.
It was the error, which was corrected after informing a company Facebook, exploitable from merchant accounts that have been granted access to the beta feature the company has been testing.
The attack used the Business Suite tool available to any business Facebook account.
In the event that the business account within Facebook is linked to the account within Instagram and is included in the test suite, the Business Suite tool displays additional information about the person, including his own email address and date of birth.
All merchant account users had to do was send a direct message on Instagram to request the information.
Boukharel found that the attack was operating through private accounts and accounts that did not accept direct messages from the public.
If the account does not accept direct messages, it is possible that the user will not receive any notification indicating that their account has been viewed.
A Facebook spokesperson said in a statement: “Access to the bug was only available for a short period of time, as the trial began in October.”
The company did not disclose the number of users who were granted access to the feature, but says: It was a small test, and that the investigation did not find any evidence of abuse.
And according to Boucharel, who discovered in August that Instagram was not deleting deleted posts, Facebook’s engineers have fixed The problem is within a few hours of receiving notifications.
Facebook said: A researcher reported a problem so that if someone was part of a mini-test we ran in October for business accounts, the personal information of the person they were messaging with could be revealed.
She added: This problem was resolved quickly, and we did not discover any evidence of abuse, and through the Bug Bounty Program we rewarded this researcher for his help in informing us of this problem.