Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (approx. 500 million) were in a vulnerable locked state. Facebook fixed the vulnerability within a day and granted a $5,000 bounty 10 days later. The required trust relationship between researchers and bug bounty providers in the eco-system relies on this, which is still too often under pressure currently.”]
Source: https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/

