Security researcher Stevie Graham was denied a bug bounty by Facebook after he pointed out a major security flaw for Instagram running on iOS.
Maybe he was denied because the bug has been known about since 2012? Or is it because Facebook-owned Instagram didn't think it was that big of a deal?
Either way, it's a big deal now - he's made the hack public and is telling everyone how you can hack into other people's Instagram accounts using a shared Wi-Fi connection.
In the three Tweets above, Graham says:
Last night I reported a serious security hole with @instagram that I've known about for years. They're not going to give me a bug bounty...
In a nutshell some API endpoints are HTTP which means I can most probably take control of your account if we're on the same wifi
Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts. Pretty serious vuln[erability], FB. please fix.