Private profiles of Instagram users could be made public as a result of a vulnerability that took almost six months to fix.
The flaw would have enabled hackers to change privacy settings within user profiles to expose potentially sensitive photos to the internet, or to lock down popular pages by marking them as private.
The attack was launched by a malicious phishing link that exploited a Cross Site Request Forgery (CSRF) flaw, a common vulnerability described as "the worst kind of vulnerability [because they are] very easy to exploit by attackers, yet not so intuitively easy to understand for software developers".
The flaws occur when websites fail to check that sensitive actions - like changing Instagram privacy settings - were actually sent from the authenticated user; instead, most websites just check that the action came from the user's browser.
The approach is risky because browsers can run code from multiple sites, opening the possibility that an action could have been quietly made from a second website and not the user.
Such a case occured with Instagram's mobile app version, white hat hacker Christian Lopez Martin found.
"A successful CSRF exploitation could compromise end user data (photos and personal information) by making public [their] Instagram profile," Martin said in a blog.
"It is important to mention that the vulnerability was completely effective in a real scenario [because] Instagram didn’t implement either CSRF security tokens or the checks that detect if the user-agent came from the mobile app."
Martin tested the flaw with a fake account, and not against live profiles.
He sent details of the vulnerability to Facebook -- the owner of Instagram -- in August which pushed out the first of three fix attempts in September.
The hacker bypassed the first patch issued by Facebook and also broke a subsequent fix.
The Instagram flaw was finally closed last week.
Despite the lengthy repair time, Martin praised Facebook's well-established security team for its "great response" and undisclosed bounty cash reward it offered for the vulnerability.