what Vau submitted Title Global PII leak 0n lc. - leaked and 7% at E0 uscrs' phone #5 revealed 25% ot thelremall addresses Vuln Type Product Area Instagrzm Description/Impact I5 llterallyenrhedded the source code otevery user's prohle page l5 espeelally these ateounts prorlle type l5 and who have NOT set therr aetount pnvate mode. 50% olall lc. aetdunts tall within the unwerse at users at-rrsk Ior leak at Pll, PII ls readlly vrewahle and can he ateessed hy anyone who ls luggL-d rnto IG the PII that l5 leaked Is a pcrsun's prnrate emall address and less lreduently, the user's phunc a, eltv/state/provrnee and portlons at thelr address lless otten street name and number, hut eltv/smte/regron/tduntrv has been leaked tar some users] revrewed over 59,000 IG profiles approxrnrately 1/2 IrDm the us and the other l/Z are user In the EU Based an my The phone #5 or over 7% or E0 hased users has heen leaked The enrall addresses at over 25% or E0 hased users has been leaked Here an: several speelrle examples MINORS IN THE EU WHOSE HAS BEEN LEAKED User ls a mlnurt he has as 14 years old leaked phone numhL-r Emall address Crty, reglon and country Per sehemaorg eode, user's ls a profile A googlL- seareh tar lus enrall address zero results that he has not posted lt where amers eould readrly find lt Example 2 User ls a she lndleates on her pro that she 14y" and she may have posted her tdded In rumzn numerals as {August 4, 2004l leaked Emall address l-ler emarl ls IDund 0n souree tdde page and the tarnrat ot her emall address allows one to personally her, A dulek google searth Ior me 2 names In her enrall address chfirm that her true name ean he derwed erm her emarl lol'lo -- (011mm m" 1 Useluakcd Emml mm ?nmlsu (n {hm hm googlc <> mama 51mm 2 'n mm unmask)! mam A mm mm mum": pagm \\cv Lomuons \m {1mm Cc} many and Aum Thuxc hagcs \\crc mm gutting my pm my the (numn <> (1m Lonmms mg ml of [he Immnn page and the page mm mm 1 \de (hc <lmmu meet apme me me: mum 'mume "gm mew {hatmmam mymve mum \mev um rm (em ofnulhnm 09 mm The phone as or me! 72p uwxs 1m peer leaked The emm mm eue>> mm 26 am at EU meet mm 5 has been Luked Mme hum: we EU Mme has humuw mm a mremxe mue {hum mum pe hm'gluakud hmuM 11M [0 1m 0722 [ohvmn'on 1 lme memneu {hm muowme 2p [a men mmon mum in the EU m1 of dune mun} phone met a hawluakud mum 4111112>> vauw mp meme pm <investigate and mitigate the issue before sharing information with others, and note that we reserve the right to publish your report. (More details: https://www.facebook.com/whitehat/) Note that if you're writing to us in a language other than English, we'll only able to respond in English at this time. We're sorry for any inconvenience this causes. If you're trying to report another issue, please review the information below to get help. - If your account or a friend's account is sending out suspicious links: https://www.facebook.com/help/hacked - To report abuse: https://www.facebook.com/help/reportlinks - To report bugs that are not security issues: https://www.facebook.com/help/www/326603310765065 - For any other questions or concerns, please visit our Help Center: https://www.facebook.com/help Thanks, Facebook Security Your reply Feb 24 One more item that I wanted to share is the attached table that documents the percent of all EU IG users broken down by the PII leaked, the profile type and the user's privacy setting. 4.7% of users in the EU have likely had their phone # leaked and 16.9% have had their email address leaked. These percentages are different from the ones in my initial subject line because these new percentages include business accounts and organizations - so these percentages are truly the percent all IG users in the EU. Attachments Percent of EU users with PII data leak.png p. 4 of 10 Your reply Today Two items to note: 1) Although my report focuses on the impact of this data leak in the European Union, I have also analyzed the profiles of nearly 30,000 US based users and the extent of the data leak for US users is on a comparable scale to that of users in the European Union. I've attached a table that documents these numbers. 2) I have not yet heard back from someone and given the global scale of this data leak and the fact that millions of users have had their personally identifiable information revealed without their consent, I am adding the following keywords to see if that will speed up the process of your review of my report: keywords: GDPR, EU, European Union member countries data breach, global, millions, privacy, minors PII Personally identifiable information Public relations PR legal I hope to hear from someone soon. Thank you Attachments Percent of USA users with PII data leak.png Note: The date shown in the reply above is "Today". This reply was sent on February 28 at approximately 8:45AM p. 5 of 10 Mar 7 Hi David, Thank you for your report! From looking at the information you provided, we've confirmed that the accounts you've identified here correspond to people who have turned their profiles into Business Profiles. That is why the fields you mentioned here were prefixed with "business_". https://help.instagram.com/138925576505882contains some background on what Business Profiles are and https://help.instagram.com/502981923235522 describes how someone can enable / disable Business Profile features on their account. The process of enabling Business Profile features requires a person to explicitly opt in. As that first link notes, Business Profiles can provide a public "Contact" button to their profile using information supplied by the profile owner. This contact information is what you saw in the HTML of the page. People always have the ability to change their contact information via account settings. Beyond that, during the setup process for Business Profiles we display this information, remind people that it will be accessible to others, and allow them to update or remove the information. After discussing this functionality with the Instagram team we did take steps to remove the contact information from the HTML of the page, since it was not necessary to include in its current form. However this information is still accessible to Instagram users via the Contact button. Given our assessment, this report would not qualify under our program. Please let me know if you have any additional questions here. Thanks, Neal Security Neal, rm mm :mL .uu mm <> um (ode a? mm And 1 mm>> mum hhmu mmuom to: mm um lutmvulm of' Puwm'm buru"nn:" mum-why pmmu nnmm,x.w [mm at 'thnn n7 may mum" 0(th mammal-u won wumummw mm) ['01 a? A, Food. mnmm'10xgummnon (.mm mm Hm Lom EJw'un ?tmu Them hum mm 12m pmmu NHL 1 gmnpud Jmungg 3mm mung mum mm mm pt mam-mum- ,n'nuhm [v 'hn 1813 then 2mm- wow u; 151 mu pmpumgm [hen [\pu (0 um on me pun"; (\'ummudurum mm \meH by my <I look forward to reply Thank you, David Day sher We /dav1d}stier realworlddarascrence corn Mv Data Scrence Presentation ranked Tau 1n {51800) in Bav Area last year: http://mlJy/Tup lajacasmauq On Thu, Mar 7, 2m? at PM Facebuuk wrote: Neal, rve uplnaded all rhe data that! used ror generating my reporrs unto gnogle drrve you can access here; gougle.mm/file DELETED If your team audits the promes ofSD users who I've rdenufied as having type "Person", I am sure you see that these prnmes were never set up as business Dre-files. I have also placed a copy ofthe wehpages for selened profile pages that! saved on March 1 the presence or?" in the snurce code. Van can access those uromes here: gougle.mm/dnve/DELETED Thank you, David Dav' I Stier Marke ni Emu: ve Data Scienusc hnkedincnm/i realwurlddamscience com My Data Scrence Presenrauon ranked In Top 1n (51800) in Bay Area last Vear: http://mlJy/Tup lajacasmauq On Thu, Mar 7, 2m? at PM Facebuuk wrote: Hi David, Thanks for following up. Let me see if I can address your concerns here. > 1) *Business versus Personal Profiles* >I've highlighted the @type field above and I labeled all profiles whose > source code for the field "@type" had a value of *"Person" *as being **not** > a business but instead as a person. I double-checked the code here to confirm and I can verify that the @type that we displayed there would be "Person" for personal profiles, and also for some sets of business profiles (ie: those representing celebrities). The contact information would only be displayed for business profiles. > a) the email was NOT visible on the profile pages of those 18,000 people > nor was there a "contact" button on any of the pages that I viewed. I can > send the source code of many users' profiles so that you can verify this > for yourself. As I mentioned to you earlier, Business Profiles can provide a public "Contact" button to their profile using information supplied by the profile owner. This contact information is what you saw in the HTML of the page. People always have the ability to change their contact information via account settings. Beyond that, during the setup process for Business Profiles we display this information, remind people that it will be accessible to others, and allow them to update or remove the information. After discussing this functionality with the Instagram team we did take steps to remove the contact information from the HTML of the page, since it was not necessary to include in its current form. However this information is still accessible to Instagram users via the Contact button in our mobile application. > b) the source code clearly identifies their profile as being for a > "Person" so how could someone have changed their profile to a business > profile yet have nothing in the source code of their page which indicates > that they have a business profile? As I mentioned, certain types of "business" profiles representing people would be identified as a "person" in the data you saw. --- I took a look at the data you provided here and all of that seems consistent with the explanation I've provided you. Please let me know if you have any additional questions here. Thanks, Neal Security Neal, The PII was in the HTML code of more than 18,000 profiles that were of type "Person". This was NOT a case of some celebrity pages being considered a personal page. If you just look at 10 or so of the profiles I've provided, you can see that these indeed are personal pages. I think that you are confusing the fact that the LD+JSON had the variable "business_email" when the profile for the page being shown was that of a person. How that "business" variable got into the HTML of more than 18,000 personal profiles is the real issue. If you start with the fact that these 18,000+ profiles are indeed personal profile pages [which you agree with in item 2 above] then the business_email should not appear (in fact no email whatsoever should appear). However, in your approach you've started with the fact that there's a variable that could only appear on a business profile page so therefore it must be a business profile page - this logic doesn't hold up. Thank you, David > The PII was in the HTML code of more than 18,000 profiles that were of type "Person". > > This was NOT a case of some celebrity pages being considered a personal page. > > If you just look at 10 or so of the profiles I've provided, you can see that these indeed are personal pages. Again, any profile can opt in to being a business profile. When they do so, they select the type of business their account represents. That includes options which represent people (ie: Personal Chef, for example). Those options would cause us to render a "type" of Person in the data you saw, since the profile represents a person. That field does not indicate whether or not business profile features have been enabkl > I think that you are confusing the fact that the LD+JSON had the variable "business_email" when the profile for the page being shown was that of a person. How that "business" variable got into the HTML of more than 18,000 personal profiles is the real issue. There is no confusion on my end. I have explained to you why you observed the behavior that you did. The fact that you saw the business_email field indicates that these *were* accounts that had enabled the business profile feature because the field was only displayed for accounts which enabled these features. Thanks, Neal Security Neal, Thank you for your reply. Given your explanation, it sounds like Instagram would not be concerned if I were to call or text message all the individuals whose phone number was revealed to let them know that their personally identifiable information was revealed by Instagram and that Instagram does not consider this to be any problem because every one of these people had changed their profile type to that of a business profile. I look forward to finding out if your users in the EU agree with your determination. David On Mon, Mar 11, 2019, 4:14 PM Facebook < case++aazqhnizwcnq7e@support.facebook.com> wrote: Ma Hi David, As I've explained to you here, the set of information that you observed corresponds to accounts which have enabled Instagram business profiles and have opted to provide contact information. I'd encourage you to look at these profiles in the Instagram app itself to see that they have contact links corresponding to this information. For example, the @zweihochfuenf profile you mentioned earlier has an "email" link which points to the business email they provided. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have. Thanks, Neal Security . mm 'ln/Jag/mm [7 (ml For 18,022 EU Instagram Users analyzed which specific PII is leaked? of EU 16 users Phone leak? Email lea 7 Srl: Addr El leak? Method used I: City Ieale, EU Locations 15 Followers Grand Total yes .-:yes yes 803 261 1,064 Ies Total 999 354 13353 3,382 4, 53? 12,919 yes :3,081 599 3L680 no Total 11,522 5,142 15,669 Grand Total 12,525 5,495 15,022 NOTE - all users analyzed above have their 'is private' flag set to FALSE and a profile type value of KEY FINDINGS: 7.5% of all users' phone #5 have been leaked (1,353 of 18,022) 26.6% of all users? email addresses have been leaked (4293 of 18022) 71.7% ofall users have had NO PII data leak (12,919 of 13,022) Image above: KKeyy?ndings p.70f10 4.7% of a_ l IG accts in EU have leaked phone cells] 12.9% of all IG accts in EU have leaked email address (Iightyellowcells) of so to users Method used v? Acct-s Privacy So Profile T?ypa Phone lentil. Email loa ,Srt Addr City leak EU Locations 16 Followers Grand Total IE leak? .3 . 7:1 - PUBLIC Unknown - no no no no 4.3% 1.9% 6.3% Unknown Total 4.3% 1.9% 6.3% All others 3.9% 0.5% 4.4% Organization 3.9% 0.9% 4.8% Person yes no yes yes 0.0% 0.0% 0.0% - no no 0.3% 0.3% 0.6% - yes - yes yes 0.3% 0.1% 0.4% no 0.0% 0.0% 0.0% - no no 2.8% 0.yes yes 0.1% 0.0% 0.1% - no no 29.0% yes yes yes 0.2% 0.0% 0.2% - no no 103% 2.1% Person Total 43.3% 19.0% 62.3% PUBLIC Total 55.5% 22.4% 22.9% - PRIVATE - Unknown - no no - no no 0.5% 2.1% 2.0% Unknown Total 0.5% 2.1% 2.6% -Person - no - no - no no 3.3% 16.2% 19.5% Person Total 3.3% 16.2% 19.5% PRIVATE Total 3.8% 13.3% 22.1% Grand Total 59.3% 40.7% 100.0% Distribution of all EU IG users based on privacy setting, type of profile and PH leak impact Based on analysis of 28,912 users David] Stier Image above: Percent of users with data leak p. 9of10 EXTENT OF DATA LEAK ON US BASED IG USERS Distribution of 28.8k US based IG user profiles analyzed Email leaked for 6.81% of ALL US based IG users and 11.4% of all "Person" profiles Phone leaked 3.0% of ALL US based I6 users and 3.8% of all Person" pro?les Pro?le Type Phone lea k? Email leak? Total Person No No 69.81% No Yes 6.40% No total either 76.21% Yes No 0.41% Yes Yes 2.63% Yes total either 3.04% Person Total 79.25% Organization No No 0.85% No Yes 2.59% No total either 3.44% Yes No 0.25% Yes Yes 1.81% Yes total either 2.05% Olga nization Total 5.50% Unknown No total No 9.38% No total No 9.38% Total 9.38% All others No No 0.90% No Yes 2.10% No total either 3.01% Yes No 0.27% Yes Yes 2.60% Yes total either 2.87% All others Total All All 5.87% Grand Total 100.00% Image above: Percent of USA users with data leak p. 10 oflO