Security Researcher hacked 1 million Instagram accounts

The security researcher Arne Swinnen published his research which states that he had found a way to hijack 1 million Instagram accounts within minutes.

He explains that with a combination of missing authentication and simple insecure direct object reference, he would have been able to hijack locked Instagram accounts.

Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts.

He shows that he was able to change the URL, which allowed him to make a view of Instagram accounts that are vulnerable to the attack.