Security Experts:

Email Address of Instagram Users Exposed via Facebook Business Suite

A researcher has earned over $13,000 for a flaw that exposed the email address and birth date of Instagram users via the Facebook Business Suite.

The issue was discovered in October by Saugat Pokharel, a researcher based in Nepal, and it was patched within hours by Facebook.

Pokharel identified the vulnerability while analyzing the Facebook Business Suite interface that the social media giant introduced in September. Facebook Business Suite is designed to make it easier for businesses to manage Facebook, Messenger, Instagram and WhatsApp from a single location.

Pokharel connected his Instagram account to the Business Suite and noticed that, when messaging an Instagram user, he could see that user’s email address, which should have been kept private. It’s worth noting that the email address was displayed on the right side of the chat window — obtaining the information did not require any actual hacking.

Instagram email address exposed in Facebook Business Suite chat

The researcher determined that the email address of every Instagram user was exposed, even those who had their accounts set to private and ones that did not accept direct messages from everyone.

Facebook quickly patched this issue, but while he was verifying the fix, Pokharel noticed that the birth date of Instagram users was exposed in the same way by the Facebook business tool. The social media company patched the birth date exposure within a week.

Pokharel said he received a total of $13,125 from Facebook for his findings.

A few months ago, cybersecurity firm Check Point disclosed the details of an Instagram vulnerability that could have been exploited to hijack accounts and turn the victim’s phone into a spying tool without any interaction.

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

Related: Hacker Finds Instagram Account Takeover Flaw Worth $10,000

Related: Facebook Announces Vulnerability Reporting and Disclosure Policy

Related: Facebook Pays $60,000 for Vulnerability in Messenger for Android

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.