Independent security researcher Christian Lopez Martin has identified a cross-site reference forgery (CSRF) vulnerability in Instagram that could have been leveraged to gain access to users’ photos and information by making their private profiles public.
The expert found that the service didn’t use any mechanism to prevent CSRF attacks. This allowed him to create a simple CSRF exploit.
The security hole was first reported to Facebook on August 22, 2013. Facebook deployed a fix on September 6, but the researcher found a way to bypass it.
A second fix was rolled out, but it too turned out to be ineffective. Instagram was properly patched against CSRF attacks only on February 4, 2014.
Additional technical details on this Instagram CSRF vulnerability are available on the security researcher’s blog.