This is how I was able to view anyone’s private email and birthday on Instagram
Summary: I discovered that Facebook Business Suite was leaking private information about Instagram users from the page messaging section. With this bug, an attacker could get personal email and birthday of any Instagram user just by messaging them.
Hi, I am Saugat from Kathmandu, Nepal. This is a writeup about a bug which I found recently on Facebook.
It was October 22, Thursday evening, I was looking for any security/privacy issue when I read that Facebook brought a new app called Facebook Business Suite.
What is business suite?
Business Suite is an upgraded version of page manager app (an app for managing Facebook Pages). In business suite, business admin can link their Facebook page with their Instagram account. Then admin can create or schedule posts, view analytics, message or reply to comments in both Instagram and Facebook using a single application. Business Suite can be accessed on the desktop at business.facebook.com.
I connected my own personal Instagram account with the Facebook Page through: PageName>Settings>Instagram.
As I connected my own personal Instagram account to the page, now I could reply to my Instagram inbox through business suite.
When I was replying to one friend, the email that I saw in the top right corner of Business Suite caught my attention. There was an email of her. I asked my friend either she had the privacy of her email as public or not. She was unable to provide me proper confirmation. So, I quickly googled about email privacy on Instagram.
In the official help page of Instagram, it was clearly mentioned that email address is not visible to other users. I became 99% sure that it was a bug.
Also, I went to my Instagram app >Edit Profile>Personal Information Settings. Even there, it was mentioned that email, phone number, gender and date of birth is never visible to other user. Then, I was like: Yesssssss!
When I opened a conversation window with another friend, I was able to view his email address as well. I wanted to try either I can fetch email address of private user or not.
So, I created one test Instagram account and changed the privacy to private. Then, I wrote a message to that account from my Instagram account. Now, that message appeared in the Business suite and BINGO. I was able to view the email address of private user as well.
I created another account and set the setting as: Only followers can send me message. Now, I wrote a message to that user. As expected, the message was not sent but this opened a chat window in business suite and the email of that account was also disclosed. I was shocked.
Now, I realized that I am able to disclose the primary email address of any Instagram user just by messaging them. Even the accounts that were set to private and accounts that were set to not accept DMs from the public were vulnerable to this attack. So, without any delay, I immediately wrote a report to Facebook with a detail description and a video POC.
Also, I am in a workplace group where we can directly communicate with Security Engineers at Facebook. So, I notified to one of the security engineer to look into my report before it is reaches to any bad guy. The issue was then quickly triaged and fixed was deployed in less than 2 hours of the triage. In this way, the personal email disclosure issue got fixed.
After 8–9 hours of me noticing the patch, I received message from the Security team saying the issue got fixed. I was asked to check either the patch resolves the issue or not. And here comes the another part:
Birthday Disclosure of any user:
When I was checking for the fix, I saw that birthday of one Instagram user was leaking from the same place. I was again shocked. I then wrote a reply saying birthday is leaking from the same place. Facebook Engineer replied that they’ve already identified the birthday issue due to my initial report and they are working on a fix.
The next day, birthday issue was also fixed. But, during my investigation what I found was: Birthday was leaking only for those users who manually signed up for Instagram. So, in this way: I was able to infer either the user created Instagram account through Login with Facebook method or not. I believed this is another privacy concern.
If birthday disclosed = Manually signed up
If birthday not disclosed = Logged in with Facebook
Here is a POC of the birthday disclosure issue: https://youtu.be/YeopEVjjtPI
After waiting patiently for 7 weeks, five digits bounty was issued by the Facebook. I became very much happy as it was the highest bounty reward in my entire lifetime.
Timeline of the report:
Initial report sent: October 22, 2020, 6:59 PM
Triaged: October 23, 2020
Email disclosure issue fixed: October 23, 2020
Birthday disclosure issue fixed: October 28, 2020
Rewarded: December 16, 2020
Thank you for taking time to read my article. Have a great day!
Below is the coverage from the press regarding this issue.