Skip to main content
blog title image

2 minute read - Security Testing

Instagram Private Information

Nov 1, 2018

TLDR: The “Private Information” section of your Instagram profile does not mean that when you switch to a Business account.

When your private Instagram information isn’t private.

I switched to an Instagram business account because I thought I might use the analytics. I don’t. I do not have enough followers to warrant it, and with Instagram you can only add links to stories when you have 10K followers so the only benefit was analytics.

I didn’t realise that Instagram would then make public my email and phone number.

This is listed on Instagram support page and apparently revealed in a notification when you switch, I just don’t remember seeing it. https://help.instagram.com/138925576505882

Even though they are listed as “Private Information” on the profile page they are shared through the app and the web page.

On the mobile app there are email and contact buttons which use these to trigger a call or an email.

On the web site, these details are not exposed via the GUI. There is no button for email or phone. But the information is readily visible in the source code of the page.

I’ve switched back to a personal account because I thought that sharing the information was too big a price to pay for analytics that I don’t use and features I don’t have access to.

Testing

From a testing perspective, I was able to investigate the Passive Scan Tags in Zed Attack Proxy.

I created one for each of my main email addresses so now when I use the web through the proxy I’ll be able to see if there is any data leakage that I didn’t expect.

So that’s a bonus!

Switching back to personal

To switch back:

  • you need to use the mobile app
  • you’ll need to have your facebook password handy
  • click on settings
  • click “switch to personal account”
  • login to facebook when prompted
  • select “Switch Back” in the warning dialog
  • ignore the warning about needing to cancel promoted posts which appears regardless of whether you are running promoted posts or not

Public By Design

This is clearly by design. But I don’t remember seeing a warning and there is no way to switch it off for business accounts, it is simply the price you pay for getting access to analytics that you don’t use.

If you didn’t realise that you were sharing your Private Information when you signed up as a business then… now you know.