Security consultant Arne Swinnen says Instagram has shuttered brute force authentication holes that allowed hijacking of some 20 million accounts.

The NVISO infosec man says an absent authentication control coupled with an insecure direct object reference vulnerability meant attackers could commandeer some four percent of accounts held in a temporary lock state.

Instagram owner Facebook paid Swinnen (@arneswinnen) $US5000 for reporting the holes, slinging a patch within 10 days of the disclosure earlier this month.

Swinnen found an account verification link for a test account, and then enumerated the user ID in the URL to test a million accounts.

The verification form was different for various accounts. Some did not expose a security vulnerability while others allowed an attacker to access accounts.

Of those tested he found some 39,000 accounts could be accessed by changing the associated account phone number, a feat which also exposed a user's phone digits as it was pre-filled into the form.

About 1,700 accounts could have their email addresses changed by attackers.

"This case was the most troublesome, as an attacker could on one hand gather sensitive user information (pre-filled phone numbers) and on the other hand simply update the phone number linked to the victim Instagram account," Swinnen says.

"After successfully linking a new phone number, an attacker could perform the 'reset password via SMS' scenario and gain complete access to the account."

Swinnen says quick manual checks found many of those phone number -exposed Instagram accounts were "mostly human" that had been inactive for a couple of weeks with a "good amount" of followers. ®