Security researcher Saugat Pokharel has discovered a bug that allowed attackers to leak personal information about Instagram users. The bug was fixed after being reported to Facebook, but can be used by business accounts that are given special access thanks to a new feature that tests Facebook.
The company is testing an experimental feature that allows business accounts to connect to Instagram using the Business Suite tools and supposedly display personal information. All they have to do is send a direct message to Instagram to get the information. It shows additional information per person along with direct messages.
Researchers found that it is possible to hack private accounts or accounts that do not receive direct messages from the public. If the account doesn’t receive direct messages, they won’t even be notified that their personal information has been verified.
Facebook responded to these findings by stating that the bug was only available for a short time and was only a minor testing function. After an investigation, Facebook also found that no one had used this exploit to obtain personal information from Instagram users.
Pokharel researchers also said that Facebook fixed the problem within hours of receiving the notification.