Security researcher Sebastián Guerrero has posted some details on an apparent security vulnerability within Instagram. Guerrero claims to have discovered a method for forcing any Instagram user to follow another account. That would mean that private Instagram accounts would be accessible to a malicious user, to say nothing of forcing non-private users into following other accounts they may not want to.
While the full details of how to pull off the vulnerability weren't posted in the alert on Pastebin, Guerrero did provide a few more details in a blog post (Google translation here). On Pastebin, he summarizes the vulnerability as "Instagram['s] lack of control on authorization logic allows an user to add himself as a friend of any user on Instagram social network." Guerrero tells us via email that he first submitted the vulnerability to Instagram yesterday with no response, then chose to go public with his claims today. Guerrero has also given us a few further details on how he achived the vulnerability via email, but we have not yet independently verified his claims.
Guerrero also posted what he claims are proofs-of-concept wherein he was able to make accounts for both Mark Zuckerberg and Barack Obama follow him (as of this writing, it didn't appear to us that those accounts were following his account). We've reached out to Instagram and Facebook for comment and will update this article when we hear back.
Update: Instagram has posted an information page about the issue, noting that so far as it can tell, "the technical researcher was not able to follow private users." However, it does appear that the bug did allow Guerrero to cause follows to happen. Instagram says that the bug was not "taken advantage of at any other scale other than very minimal experiments" and most importantly, "The bug was resolved."