Nepalese cyber security researcher Saugat Pokharel received $ 13,125 in a bug bounty for finding a bug that exposed Instagram users’ email addresses and birthdates through the Facebook Business Suite interface.
Let me remind you that Facebook Business Suite was introduced this fall and is designed to make it easier for businesses to manage Facebook, Messenger, Instagram and WhatsApp, bringing it all in one place.
The problem found by the researcher cannot be called a full-fledged vulnerability. In October 2020, Pokharel simply connected his Instagram to the Business Suite and found that when he sent messages to other users, he saw their email addresses, which in theory should remain private. The email address was simply displayed on the right side of the window, and getting this information did not require any manipulation.
The researcher found that he had access to the email addresses of every Instagram user, even those whose accounts were closed and those who did not accept private messages from everyone.
Facebook specialists quickly fixed the problem, but while checking their patch, Pokharel noticed that the Business Suite also discloses the dates of birth of Instagram users. The social network fixed this bug only this week, after which it was able to research it publicly about its findings.