Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to obtain the personal privacy information of any Instagram user. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

In this Writeup, by testing the Facebook Business Suite (Facebook Business Suite) application APP, the author finds that the privacy information of Instagram users bound to Facebook can be disclosed from the message section of the page (page messaging section). Attackers can take advantage of this Bug vulnerability to obtain personal email address, birth date and other sensitive information of any user who communicates with them in Instagram.

Facebook Business Suite (Facebook Business Suite)

Facebook Business Suite (Facebook Business Suite) is an upgraded version of Facebook's business application. APP,Facebook business application administrators can manage all bound accounts for Facebook and Instagram through Facebook Business Suite. Facebook Business Suite provides a variety of free tools to help Facebook business application administrators manage their brand image more easily, with the help of Business Suite one-stop management of brand image, while reaching more users and keeping abreast of the latest dynamic information. Ordinary users can access the home page of Facebook Business Suite through business.facebook.com.

Loophole discovery

First, I can bind my Instagram account through PageName > Settings > Instagram of my Facebook Page (Facebook page), so I can communicate with Instagram from the Instagram inbox in the Facebook business suite.

When I replied to a friend in it, the message in the upper-right corner of the Facebook business suite conversation box caught my attention, which clearly showed my friend's email email address. After that, I asked him if he had set his own email address private, but he couldn't be sure. I immediately delved into the privacy policy of Instagram users' email addresses.

Through the query, the Instagram official home page clearly mentioned that the user's email email address belongs to the user's privacy, other users are not visible, so I am sure this should be a bug.

In addition, I can see from the Edit Profile > Personal Information Settings personal settings of the Instagram APP app, which makes it clear that the user's email email address, mobile phone number, gender and date of birth are completely private and are not visible to other users.

Therefore, when I communicate with my friends in the above way, I can fully see the other person's email email, mobile phone number, gender and date of birth and other personal information from the phone box. After that, I wondered what would happen if the other user set the information to a private state that was only visible to the person. Can I still see his private information in this way?

So I immediately signed up for an Instagram account, set the personal information in it to private status, and then in the Facebook business suite, I used my original Instagram account to communicate with this account. BINGO, I can still see its personal information completely from the phone box. It shocked me.

In other words, through the Instagram communication in this Facebook business suite, I can get the personal information of any Instagram user, even if the personal information is set to the private state or the user is set not to receive private messages. Then I immediately reported to the Facebook security team in the form of a POC video. Since one of my friends is an engineer on the Facebook security team, I asked him to follow up the vulnerability as soon as possible. Sure enough, two hours after the vulnerability was reported, the personal email email leak was fixed. More than eight hours later, the Facebook security team emailed me that the entire vulnerability had been fixed, and they invited me to retest it again. However, after the retest, I found another problem.

The retest found that the personal birth date and date information was still leaked.

After testing again, I found that there was still a problem of leaking the personal birth date information of the other user in the original dialog box. After informing Facebook, they were a little confused. After in-depth analysis, I found that it was like this: if users sign up for an Instagram account by hand, then these types of Instagram users will have this kind of birth date information disclosure. If the user is redirected through a Facebook login, there is no such disclosure of the date of birth. This seems to constitute another kind of privacy disclosure, namely:

Date of birth information disclosure = the other user is a manually registered Instagram account

Date of birth information is not disclosed = the other user is transferred through Facebook login

After reading the above, do you have any further understanding of how to obtain the personal information of any Instagram users? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.