When Disconnecting Isn’t Enough: Instagram Messages Leak via Creator Studio

Managing social media pages and accounts often involves linking Instagram profiles with Facebook Pages using Creator Studio. This integration lets admins respond to Instagram DMs and comments directly from Facebook’s Creator Studio desktop interface, streamlining content management.

But what if disconnecting your Facebook Page from an Instagram account didn’t actually sever access?

The Unexpected Risk

I discovered a critical privacy flaw involving Instagram accounts sold or transferred to new owners. Even after disconnecting a Facebook Page from an Instagram account in Creator Studio, I could still:

  • View and receive new and old Instagram Direct Messages and comments from the Instagram account I had sold in 2022.

  • Send replies and comments on behalf of that Instagram account, without the knowledge or consent of the new owner or Instagram admin.

In other words, despite officially ending the connection, access to sensitive Instagram interactions remained open through Creator Studio.

Why This Matters

This is a textbook case of an IDOR (Insecure Direct Object Reference) vulnerability — where a user can access or act on data they shouldn’t be authorized to, simply because the backend fails to properly check permissions after disconnection.

For previous owners who sold Instagram accounts, this means:

  • Privacy violations for the new owners, as their messages and comments can be read and manipulated by the former owner.

  • Potential misuse or abuse of the Instagram account, affecting reputation and trust.

  • Undermining the entire point of disconnecting accounts, which is expected to revoke all access and control.

How to Reproduce

  1. Go to Creator Studio Desktop → Page Settings → Connect a Facebook Page with an Instagram account.

  2. As the Facebook Page admin, respond to Instagram messages and comments through Creator Studio.

  3. Disconnect the Facebook Page and Instagram account connection.

  4. Despite disconnection, continue to send and receive Instagram messages and comments through Creator Studio.

What Should Be Done

To fix this issue:

  • Creator Studio must immediately revoke all permissions to send or receive Instagram messages and comments once the Facebook Page and Instagram account are disconnected.

  • Implement strict backend authorization checks ensuring only current valid connections can access Instagram interactions.

  • Notify users explicitly when disconnections take full effect.

This flaw illustrates how complex integrations between social platforms can unintentionally open doors to privacy breaches. As account ownership changes hands, systems must guarantee that previous controllers lose access — or risk serious privacy and trust issues.


Comments

Post a Comment

Popular posts from this blog

🚨When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

When Two-Factor Authentication Becomes Too Easy: A Surprising Instagram Security Flaw

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...
Read more