Due to missing X-Frame-Options on some Instagram pages it is possible to disclose the following users private information:
First name, last name, mobile number, email address, birthday, user biography, etc.
Even if the user account is private an attacker could get target Instagram private data.
Proof of concept:
If you visit: https://www.instagram.com/accounts/edit/?__a=1
You will see the response header is missing “X-Frame-Options”
So an attacker could setup a html page and create some kind of drag and drop game. An authenticated user think he is playing a game but he is sending his private information to the attacker.
How this could be solved:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Add to header “X-frame-options” with the following values:
DENY: The browser refuses the current page to load any iframe page;
SAMEORIGIN: only allow the same page under the address of the frame;
ALLOW_FROM origin: Allows custom loading page address of the frame