Facebook recently fixed a bug that disclosed personal information of Instagram users. Discovered by Saugat Pokharel, the bug made it easier for the attacker to access the private data of Instagram users including birthdays and email addresses.
The attack worked seamlessly on private Instagram accounts and those that are set to not receive direct messages from the public
Usually, whenever an individual signs up for an account on Instagram, the birthday and email address of the user is not accessible to the public. However, according to Pokharel, the bug exposed this data to the attacker.
The attack leveraged the Business Suite tool of Facebook, which is available to every Facebook business account. In October, Facebook was developing an experimental service for business accounts. The company accounts that were allowed access to this service exploited the bug that was patched upon being posted to Facebook. According to Facebook officials, the bug was accessible during a small test (ran in October) only for a short duration. The company also awarded Pokharel for his aid in reporting the issue through their Bug Bounty Program.
Pokharel, an experienced bug hunter from Nepal, was awarded a bug bounty payout of nearly $6,000 for finding another Instagram bug earlier.