A Developer from London discovered that Instagram account could be hijacked easily and he gave a proof of it But Facebook denied him a bug bounty,saying that they were aware of the problem he describe to them
The flaw is not new and consists in the fact that Instagram does not have encrypted communication implemented for all of its parts, and API calls are made to endpoints over simple HTTP; these contain session cookies in the request headers.
Intercepting the session cookies can be done easily, with free network traffic capture tools and loading them into a web browser provides an attacker access to the Instagram account without having to authenticate
Regular logging into the service is done over an encrypted connection, but ulterior communication with the cookies is carried out without encryption.
With access to the account, a potential attacker could initiate the same actions as if they were the owner, making modifications, adding new content or editing comments. Sending spam or directing followers to pages hosting malicious files are just some of the nefarious activities that can be perpetrated by leveraging this security flaw
Graham is not the only one that made this discovery and reported it to Facebook. This week, researcher Mazin Ahmed made the same disclosure, referring to the Instagram app for Android.
After contacting Facebook, he received an answer from the security team letting him know that they were aware of the problem.