A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file. When the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source. The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. An Instagram spokesperson said the issue isn t one covered by the Facebook bug bounty program.
Source: https://threatpost.com/instagram-api-bug-could-allow-malicious-file-downloads/111784/