Instagram vulnerability disclose users information

Due to missing X-Frame-Options on some Instagram pages it is possible to disclose the following users private information:

First name, last name, mobile number, email address, birthday, user biography, etc.

Even if the user account is private an attacker could get target Instagram private data.

Proof of concept:

If you visit:

You will see the response header is missing “X-Frame-Options”

So an attacker could setup a html page and create some kind of drag and drop game. An authenticated user think he is playing a game but he is sending his private information to the attacker.


Hi Diogo, Your report appears to describe a social engineering attack against Facebook users and infrastructure. Would require you to make a html page, and get the user to click the link or do the drag and drop you suggested. Although we appreciate the report, such issues do not qualify under our bug bounty program. Thanks, Randal Security

How this could be solved:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Add to header “X-frame-options” with the following values:

DENY: The browser refuses the current page to load any iframe page;
SAMEORIGIN: only allow the same page under the address of the frame;
ALLOW_FROM origin: Allows custom loading page address of the frame

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.