Facebook and Instagram are one of the most famous social media sites, where trillions of people have created their profile to chat, explore etc. At the time of sing up for creating a Instagram account, it says that the videos, photos and other personal details like email id, birth date, contact details will not be shared publicly.
But recently security researcher Saugat Pokharel have discovered a bug that has the ability to track the personal details of any account. It has made the site very vulnerable and allowed an attacker to easily procure that private information.
This bug was patched just after it was reported from facebook. It was exploitable by business accounts that were given access to an experimental feature that Instagram was testing.
Here the attack used facebook’s Business Suite tool, this is one of the most useful feature of facebook account. But this is only available in business account. The other users are not allowed to use this feature. If the facebook business account is linked with the instagram account then the Business Suite tool would show additional information about a person alongside any direct message.
The other personal details such as birthdate, email id, contact numbers can be shared very easily. To get this, all a business user would have to do is to send a direct message to the user on Instagram.
This is not the first bug Pokharel has spotted on Instagram and reported. Earlier in the month of August he discovered that Instagram was not actually deleting deleted posts.
Facebook and instagram are used very widely, people update their details, they should feel safe while updating any kind of detail. Otherwise if the personal details of any random person will shared like this, then we can not think we kind of crime can take place.
facebook gives an statement saying that :
A researcher reported an issue where, if someone was a part of a small test we ran in October for business accounts, personal information of the person they were messaging could have been revealed. This issue was resolved quickly, and we discovered no evidence of abuse. Through our Bug Bounty Program we rewarded this researcher for his help in reporting this issue to us.
security researcher Saugat Pokharel said that the engineers fixed the problem very soon, just after they got the information about this.