While Instagram promises users when they sign up for the service that their email ID and birthday will not be publically visible, security researcher Saugat Pokharel, recently discovered a bug, which allows attackers to easily be privy to that private information reported The Verge. According to the report, the bug was patched after being reported to Facebook. The attack made use of Facebook's Business Suite tool that is available in any Facebook business account.
The experimental upgrade saw any Facebook business account included in the test that was linked to Instagram would see the Business Suite tool showing additional information about a person including their private email address and birthday. All business users needed to do was send a direct message on Instagram to call up the information.
As per the report, Pokharel also found that the attack worked on accounts that users had kept private in their settings and in accounts that were set to not accept DMs from the public.
The Verge got a statement from Facebook, where a spokesperson said that the bug was accessible only for a short period since the experiment started in October. As per the statement available to the publication, Facebook said that the issue was resolved quickly and they have not discovered any evidence of abuse. They added that through their Bug Bounty Program, they rewarded the researcher who reported the issue.
source https://www.firstpost.com/tech/news-analysis/an-instagram-bug-exposed-users-personal-data-facebook-says-issue-has-now-been-patched-9132561.html