When Disconnecting Isn’t Enough: Instagram Messages Leak via Creator Studio


Background

Discovery Summary
Description of the Vulnerability
Steps to Reproduce (at time of discovery)
Security and Privacy Impact
Business Impact
Conclusion

While managing multiple social media accounts for business, I relied heavily on Facebook Creator Studio to handle Instagram messages and comments from my desktop. Creator Studio simplifies responding to DMs and comments without switching devices.

In 2022, I discovered a critical privacy vulnerability related to how Creator Studio handles Instagram integration. After disconnecting a Facebook Page from an Instagram account—which I had sold to a new owner—I realized I still retained full access to that Instagram account’s private messages and comments, despite no longer owning it.

  • Disconnecting the Facebook Page–Instagram link should immediately revoke all access.

  • Instead, the visible connection was removed, but the backend kept the communication channel active.

  • Even after disconnection, I could:

    • View all existing and incoming Instagram DMs.

    • Reply to public comments and send messages as the Instagram account.

  • The new owner had no indication that I retained access.

  • This violates fundamental privacy and security expectations—disconnecting accounts should revoke all messaging and interaction rights immediately.

  1. Connect a Facebook Page to an Instagram account via Creator Studio (desktop).

  2. As Page admin, manage Instagram DMs and comments in Creator Studio.

  3. Disconnect the Instagram account from the Facebook Page in Facebook settings.

  4. Return to Creator Studio after disconnection.

  5. Observe that you can still read/send Instagram messages and reply to comments without re-linking.

  • Privacy breach for the new owner: Former owner still sees private conversations and interacts with followers.

  • Reputation risk: Unauthorized replies may damage brand image or cause confusion.

  • User trust violated: Users expect full revocation of access upon disconnection.

  • Technically, the issue resembles an Insecure Direct Object Reference (IDOR) where authorization fails to revalidate post-ownership change or disconnection.

  • Damage to client or customer relationships due to unauthorized activity by a former manager.

  • Erosion of trust in Facebook and Instagram’s integration security.

  • Potential legal consequences if sensitive data is exposed or mishandled.

  • For brands using these platforms for customer support, lingering access compromises privacy and brand integrity.

This was a serious flaw in Facebook Creator Studio’s handling of Instagram account disconnections. Although fixed now, it underscores the critical need for:

  • Immediate backend revocation of all API tokens, permissions, and communication channels upon disconnecting integrations.

  • Not relying solely on front-end indicators of connection status.

Any delay or oversight in permission revocation risks privacy violations and harm to businesses and users alike.



Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more