This is how I was able to view anyone’s private email and birthday on Instagram

Saugat Pokharel
Dec 20, 2020 · 5 min read

Summary: I discovered that Facebook Business Suite was leaking private information about Instagram users from the page messaging section. With this bug, an attacker could get personal email and birthday of any Instagram user just by messaging them.

Hi, I am Saugat from Kathmandu, Nepal. This is a writeup about a bug which I found recently on Facebook.

It was October 22, Thursday evening, I was looking for any security/privacy issue when I read that Facebook brought a new app called Facebook Business Suite.

What is business suite?

Business Suite is an upgraded version of page manager app (an app for managing Facebook Pages). In business suite, business admin can link their Facebook page with their Instagram account. Then admin can create or schedule posts, view analytics, message or reply to comments in both Instagram and Facebook using a single application. Business Suite can be accessed on the desktop at business.facebook.com.

I connected my own personal Instagram account with the Facebook Page through: PageName>Settings>Instagram.

As I connected my own personal Instagram account to the page, now I could reply to my Instagram inbox through business suite.

When I was replying to one friend, the email that I saw in the top right corner of Business Suite caught my attention. There was an email of her. I asked my friend either she had the privacy of her email as public or not. She was unable to provide me proper confirmation. So, I quickly googled about email privacy on Instagram.

Image for post
Image for post
Email of a Instagram user being exposed through Business Suite

In the official help page of Instagram, it was clearly mentioned that email address is not visible to other users. I became 99% sure that it was a bug.

Image for post
Image for post
It is written in Instagram help page that Email, phone number, gender is always private.

Also, I went to my Instagram app >Edit Profile>Personal Information Settings. Even there, it was mentioned that email, phone number, gender and date of birth is never visible to other user. Then, I was like: Yesssssss!

Image for post
Image for post
The above information is supposed not to be viewable by others

When I opened a conversation window with another friend, I was able to view his email address as well. I wanted to try either I can fetch email address of private user or not.

So, I created one test Instagram account and changed the privacy to private. Then, I wrote a message to that account from my Instagram account. Now, that message appeared in the Business suite and BINGO. I was able to view the email address of private user as well.

I created another account and set the setting as: Only followers can send me message. Now, I wrote a message to that user. As expected, the message was not sent but this opened a chat window in business suite and the email of that account was also disclosed. I was shocked.

Now, I realized that I am able to disclose the primary email address of any Instagram user just by messaging them. Even the accounts that were set to private and accounts that were set to not accept DMs from the public were vulnerable to this attack. So, without any delay, I immediately wrote a report to Facebook with a detail description and a video POC.

Also, I am in a workplace group where we can directly communicate with Security Engineers at Facebook. So, I notified to one of the security engineer to look into my report before it is reaches to any bad guy. The issue was then quickly triaged and fixed was deployed in less than 2 hours of the triage. In this way, the personal email disclosure issue got fixed.

After 8–9 hours of me noticing the patch, I received message from the Security team saying the issue got fixed. I was asked to check either the patch resolves the issue or not. And here comes the another part:

Birthday Disclosure of any user:

When I was checking for the fix, I saw that birthday of one Instagram user was leaking from the same place. I was again shocked. I then wrote a reply saying birthday is leaking from the same place. Facebook Engineer replied that they’ve already identified the birthday issue due to my initial report and they are working on a fix.

The next day, birthday issue was also fixed. But, during my investigation what I found was: Birthday was leaking only for those users who manually signed up for Instagram. So, in this way: I was able to infer either the user created Instagram account through Login with Facebook method or not. I believed this is another privacy concern.

If birthday disclosed = Manually signed up
If birthday not disclosed = Logged in with Facebook

Here is a POC of the birthday disclosure issue: https://youtu.be/YeopEVjjtPI

I was so eager to know about the bounty decision. I already knew it would be a very good bounty since the issue was highly critical in terms of user privacy.

After waiting patiently for 7 weeks, five digits bounty was issued by the Facebook. I became very much happy as it was the highest bounty reward in my entire lifetime.

Timeline of the report:

Initial report sent: October 22, 2020, 6:59 PM
Triaged: October 23, 2020
Email disclosure issue fixed: October 23, 2020
Birthday disclosure issue fixed: October 28, 2020
Rewarded: December 16, 2020

Image for post
Image for post

Thank you for taking time to read my article. Have a great day!

You can follow me on Facebook or Twitter if you would like to stay connected with me.

Below is the coverage from the press regarding this issue.

Infosec Daily

All things Infosec.

Saugat Pokharel

Written by

Security Analyst at Cynical Technology

Infosec Daily

From tool reviews to the latest hacking news, from regular updates in the industry to educational tutorials. Infosec is here to take care of all your questions regarding Cyber Security. Infosec is an enterprise launched by nassec.io.

Saugat Pokharel

Written by

Security Analyst at Cynical Technology

Infosec Daily

From tool reviews to the latest hacking news, from regular updates in the industry to educational tutorials. Infosec is here to take care of all your questions regarding Cyber Security. Infosec is an enterprise launched by nassec.io.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store