Instagram is an online photo-sharing, video-sharing and social networking service acquired by Facebook last April 2012.
Martin identified a Cross-site reference forgery ( CSRF ) in Instagram where it can be used to make private profiles set to public.
According to the researcher, there is no authenticity token being passed in setting an Instagram profile, public or private.
In the CSRF exploit he made, anyone that would click on “submit” button as provided in his proof of concept, the victims profile will be set to public ( when private. )
<html> <body> <form action="http://instagram.com/api/v1/accounts/set_public/" method="POST"> <input type="submit" value="Submit form" /> </form> </body> </html>
It was reported by him last August 22, 2013 to Facebook wherein a fix was deployed 15 days later.
On September 16th, 2013, the expert reported a bypass of the initial fix by Facebook/Instagram engineers. Few months later, Martin found another way to bypass the second fix.
Finally, on February 4th, 2014, Facebook confirmed that the CSRF flaw was properly patched.