Security researcher Sebastián Guerrero has posted some details on an apparent security vulnerability within Instagram. Guerrero claims to have discovered a method for forcing any Instagram user to follow another account. That would mean that private Instagram accounts would be accessible to a malicious user, to say nothing of forcing non-private users into following other accounts they may not want to.
While the full details of how to pull off the vulnerability weren't posted in the alert on Pastebin, Guerrero did provide a few more details in a
blog post (
Google translation here). On
Pastebin, he summarizes the vulnerability as "Instagram['s] lack of control on authorization logic allows an user to add himself as a friend of any user on Instagram social network." Guerrero tells us via email that he first submitted the vulnerability to Instagram yesterday with no response, then chose to go public with his claims today. Guerrero has also given us a few further details on how he achived the vulnerability via email, but we have not yet independently verified his claims.
