This bug was actually before the email confirmation but quite interesting vulnerability to share and can be done for a certain period of time …
Normally a Facebook user’s profile will have all the features enabled by default. But some users tend to manage their privacy by hiding the list of friends they have. But there is a quite possible way to bypass this. This content will not contain any technical hacking tools and it is only by means of logical thinking.
Data access control is not so easy but by means of some logical loophole, it can be driven as simple as that. Let’s get into the topic. Facebook brought Instagram back in 2012 and there are lots of integrations going on between them still now.
when you create an Instagram account you probably signup with the mail that you have used for the facebook account sign up or mobile number in some cases. So somehow your Facebook and Instagram account will be linked without your knowledge. In this case, after logging in with the same mail account used in Facebook, you will be getting people suggestions those who are in the friend list of your Facebook account. This gives you the logic of getting into the private friend list of a Facebook user.
There are more than 2 billions of facebook accounts and only about 800 millions of Instagram accounts exists and so there is a possibility of about at least 1 billion and a half accounts were vulnerable.
All you want to know is the victim’s email id or the mobile number to sign up with. This disclosure bug was reported and Facebook didn’t recognize it as a security vulnerability and that’s how the story of email confirmation came into existence in Instagram later.