The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain.
The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority.
“Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email."