Facebook fixes Instagram bug that leaked user’s private email address and birthday

This week a researcher walked away with a $13,125 bug bounty award for responsibly reporting a data leak to Facebook.

Security researcher Saugat Pokharel shared details on the privacy flaw which was causing Instagram leaking email address and date of birth of its users.

Pokharel said he noticed the email address of a user while replying to him via Facebook’s Business Suite.

On digging deeper, the researcher was able to confirm that this information was meant to remain private.

“In the official help page of Instagram, it was clearly mentioned that email address is not visible to other users. I became 99% sure that it was a bug,” said Pokharel in a blog post.

User birthday also leaked

After responsibly reporting the bug to Facebook, the researcher patiently waited and in the interim tried to verify if a fix had been pushed out by the company yet.

However, that is precisely when he discovered an additional bit of private user data being exposed.

“When I was checking for the fix, I saw that birthday of one Instagram user was leaking from the same place. I was again shocked. I then wrote a reply saying birthday is leaking from the same place,” says Pokharel.

A Facebook engineer reportedly responded to the researcher, Facebook had already identified the birthday leak while investigating his previous report concerning the email address exposure.

“The next day, birthday issue was also fixed. But, during my investigation what I found was: Birthday was leaking only for those users who manually signed up for Instagram. So, in this way: I was able to infer [whether] the user created Instagram account through Login with Facebook method or not. I believed this is another privacy concern,” explains the researcher.

In other words, a user’s birthday being exposed would be an indication that the user had registered for an Instagram account rather than “logging in with Facebook.”

For his report of both privacy issues, Pokharel was awarded a $12,500 cash bounty from Facebook.

Further, the company applied a $625 bonus to the payout for the researcher’s previous work on Hacker Plus program, making the total sum $13,125.

Now that’s quite a way to end 2020!

Facebook has now patched both privacy issues and at the time of writing user’s private Instagram details are no longer being leaked.

Data leaks have become a common nuisance due to human errors or system bugs.

Last month, Insomnia Cookies website leaked sensitive database server credentials due to an exposed .env file.

Reports of bulk email address leaks in CC’d emails (when the sender had intended to BCC the recipients) have surfaced too as a result of human errors.

About the author

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts