Linking Facebook with Instagram also creates the risk of cross-platform security gaps. (Image: tanuha2001 / shutterstock.com)
December 21, 2020, 9:28 am
No time right now?
Note: We have used commission links in this article and marked them with “*”. If an order is placed via these links, t3n.de receives a commission.
Attackers could see the personal email address and date of birth via a simple direct message. However, you had to meet a number of requirements for this.
Only business account holders who used a specific variant of the Business Suite tool could access the data. Facebook promises that they will be hidden from strangers. The security researcher Saugat Pokharel found the hole and the company closed it after reporting it within a short time.
The relevant version of the Business Suite tool is in the beta phase. It only provided selected business account holders with the additional information if they had linked their account to Instagram and sent a direct message to the target. This worked for both private accounts and those that don’t accept public direct messages. This means that the data could have been viewed without those affected noticing.
Facebook started the experiment in October. The platform operator responded to a request from The Verge: “This problem was fixed quickly and we did not find any indications of abuse”. Pokharel confirmed that the gap had been closed a few hours after he was reported. Facebook has a program called the Bug Bounty Program that rewards reporters of security vulnerabilities.
