Introduction
Instagram features an “Archive” option, allowing users to conveniently archive their posts. According to Instagram, the content stored in the archive is intended for the user’s private viewing, ensuring that only the account holder has access to this archived material. This functionality provides users with a practical and secure way to manage and revisit their past posts without sharing them publicly.
The finding
I observed that there is a potential disclosure of old archived posts for a personal account when transitioning to a professional account using Creative Hub on Instagram
Reproduction Steps
- Ensure that your Instagram account is initially set as a personal account.
- Change the privacy settings of the personal account to private.
- Create an image post and subsequently archive it, making it visible only to you.
- Switch from the personal account to a professional account.
- Link your Instagram account to a corresponding Facebook page.
- Navigate to Creative Hub by visiting https://business.facebook.com/ads/adbuilder/.
- Create a mockup and select both your linked page and Instagram account.
- Under “Media,” add an image by selecting “Instagram images.”
Upon completing these steps, you will observe that the previously private and archived image post from when the account was personal is now visible in the Creative Hub, highlighting a potential privacy concern.
Timeline
- Sarmad: 23 Sep 2020
- Initial Report
- Meta Bug Bounty Program: 25 Sep 2020
- Report Triaged
- Meta Bug Bounty Program: 09 Oct 2020
- Bounty Awarded:
- Meta Bug Bounty Program: 04 June 2021
- Bug Fixed
- Sarmad: 16 June 2021
- Fixed Confirmed
POC
