@phr0nak: Great article, but you should spend more time editing, or get a friend who is fluent in English to help you (I assume you are not).

Phrases like "Due I guessed the website could be already audited and secure" are difficult to understand.

I think you meant, "[Since/because] I guessed the website [would already be]..."

Thanks for your comments :)

Or maybe he wants the largest possible audience and the comment is aimed at getting him that.

I don't think the criticism was intended in a negative spirit. Getting a native speaker of the language to help edit your writing is a very helpful suggestion. It's a good way to improve your own language skills, while still making your writing available to other audiences. I would definitely encourage people to still publish in their native language though. As you point out, it encourages others to learn other languages and will be very helpful to your fellow countrymen.

It might not be correct English, but it's not even remotely difficult to understand what was meant. (In fact, I didn't even notice it was wrong until you pointed it out.)

Does checking the UA string offer much security? I've always been under the impression that it's essentially user input and not to be trusted. But yeah, that is a pretty nasty CSRF. Good post, thanks.

As you said, checking the User-Agent does not offer much security, but at this point, is more than nothing. I know that Instagram team are studying other ways (csrftoken among others) to protect their website or application against this kind of attacks. Thanks.

For a CSRF attack it actually does because it needs to be executed inside an unsuspecting victim's browser. That wouldn't be sending an custom Instagram user-agent.

You're right, it's not an absolute fix.

It would have prevented requests from an authenticated browser (without a mobile UA) from being accepted, reducing the effectiveness of the attack.

I was wondering how generous was the reward Facebook gives for helping them find this kind of security issues, can you share that? (If you consider that you don't want to share this kind of information is completely fine for me, im just curious). Thanks and congrats, good research!

https://www.facebook.com/whitehat for the general details.

Sorry, I don't want to publish it.

Well there seems to be a certain exploit going around on FB. it a picure that claims "hack anyone's account by opening their profile and copy pasting this code into the webconsole" where said code uses you logged in credentials to make FB API calls. The version i saw made you like a bunch of pages, follow a bunch of people and tag all of your friends in the comments to that picture. But I wonder if same can be used to change the privacy settings

I'm impressed that you got a reward considering Instagram is on their exclusions list for bug bounties. Well done!

I think you're wrong. Read carefully the "Exclusion"'s section on https://www.facebook.com/whitehat

116 days (almost 4 months) from first report to bounty payment. Longer than I expected. Is this typical?

Wow, not even a Referer header check was in place.

You would be surprised,what some people leave behind. I'm doing some work on an app that has in-app payments, but the payments are not verified on the server to unlock o_0. This is just a big no no. I just wonder how many other companies have this same simple error.

Amazing font shadows, so unreadable..

I can't read that page without getting ill. Even highlighting doesn't help.

Sorry to hear that. I'll fix this issue as soon as possible.

Nobody -- past, present, or future -- needs Hunter Moore.

I believe he was arrested.