News

Facebook fixes Instagram bug that leaked user’s private email address and birthday

This week a researcher walked away with a $13,125 bug bounty award for responsibly reporting a data leak to Facebook.

Security researcher Saugat Pokharel shared details on the privacy flaw which was causing Instagram leaking email address and date of birth of its users.

Pokharel said he noticed the email address of a user while replying to him via Facebook’s Business Suite.

On digging deeper, the researcher was able to confirm that this information was meant to remain private.

“In the official help page of Instagram, it was clearly mentioned that email address is not visible to other users. I became 99% sure that it was a bug,” said Pokharel in a blog post.

User birthday also leaked

After responsibly reporting the bug to Facebook, the researcher patiently waited and in the interim tried to verify if a fix had been pushed out by the company yet.

However, that is precisely when he discovered an additional bit of private user data being exposed.

“When I was checking for the fix, I saw that birthday of one Instagram user was leaking from the same place. I was again shocked. I then wrote a reply saying birthday is leaking from the same place,” says Pokharel.

A Facebook engineer reportedly responded to the researcher, Facebook had already identified the birthday leak while investigating his previous report concerning the email address exposure.

“The next day, birthday issue was also fixed. But, during my investigation what I found was: Birthday was leaking only for those users who manually signed up for Instagram. So, in this way: I was able to infer [whether] the user created Instagram account through Login with Facebook method or not. I believed this is another privacy concern,” explains the researcher.

In other words, a user’s birthday being exposed would be an indication that the user had registered for an Instagram account rather than “logging in with Facebook.”

For his report of both privacy issues, Pokharel was awarded a $12,500 cash bounty from Facebook.

Further, the company applied a $625 bonus to the payout for the researcher’s previous work on Hacker Plus program, making the total sum $13,125.

Now that’s quite a way to end 2020!

Facebook has now patched both privacy issues and at the time of writing user’s private Instagram details are no longer being leaked.

Data leaks have become a common nuisance due to human errors or system bugs.

Last month, Insomnia Cookies website leaked sensitive database server credentials due to an exposed .env file.

Reports of bulk email address leaks in CC’d emails (when the sender had intended to BCC the recipients) have surfaced too as a result of human errors.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.