The security researcher Arne Swinnen published his research which states that he had found a way to hijack 1 million Instagram accounts within minutes.
He explains that with a combination of missing authentication and simple insecure direct object reference, he would have been able to hijack locked Instagram accounts.
Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts.
He shows that he was able to change the URL, which allowed him to make a view of Instagram accounts that are vulnerable to the attack.
He states that the URL reveals the issue;
The URL revealed the issue: this page was actually accessible without being authenticated (“checkpoint_logged_out_main”) and contained my Instagram test account’s unique user id.
Facebook fixed the issue within 24 hours, by enforcing authentication on the pages that allow to update profile information such as email address and/or phone number.
- 14/03/2016: Bug submitted to Facebook
- 14/03/2016: Facebook reply: “We are sending it to the appropriate product team for further investigation.”
- 15/03/2016: Facebook reply: “We have looked into this issue and believe that the vulnerability has been patched.”
- 16/03/2016: Confirmation that bug is fixed to Facebook
- 25/03/2016: Facebook reply: “After reviewing the issue you have reported, we have decided to award you a bounty of $5,000 USD.”