I found a serious vulnerability in Instagram’s Account Center that allowed a linked secondary account to regain full control of a primary account—even after the legitimate owner updated their password, email, phone number, and two-factor authentication (2FA) from another device.
This logic flaw bypassed the “Global Logout” and “Trusted Device” security model on both iOS and Android.
What Happened?
Account Center is designed to manage multiple Meta accounts in one place. However, I discovered a fundamental flaw in its trust model: it prioritized the “Link” over individual account security updates.
Normally, when a user suspecting a compromise performs a “security nuke”—changing passwords and revoking all devices—every active session should be terminated instantly.
The Bug Logic: While the victim’s main Instagram app session was successfully terminated, the authorization bridge within the Account Center remained active. The system failed to require a fresh login or a password check for high-risk actions. Because the attacker’s account was still “linked,” the system allowed the attacker to keep managing the victim’s account, completely ignoring the fact that the victim had just reset their entire security stack.
The Stealth Factor: Why Victims Don’t Remove the Link
An attacker can make this “bridge” nearly invisible to the average user by:
- Identity Mimicry: Using the same profile picture and name as the victim so the link looks like a legitimate duplicate.
- Meta Ecosystem Loophole: Linking a Meta Horizon or generic Meta Account. Most users don’t recognize these as separate “sessions” and assume they are built-in system settings, leaving the attacker’s back door wide open.
How I Verified It
- The Link: On the attacker’s device, I linked the Attacker Account to the Victim Account via Account Center.
- The Lockdown: From a separate device, the Victim changed their password, email, phone, and reset all 2FA/Backup codes, then clicked “Log out of all devices.”
- The Bypass: On the attacker’s device, the main Instagram app was logged out, but the Account Center session stayed alive. * The system did NOT ask for the new password or 2FA.
- Because the accounts were still linked, the attacker could navigate into the victim’s settings via their own Account Center.
- The attacker changed the victim’s email and phone number back to the attacker’s info.
- The Takeover: I requested a Password Reset. The link was sent to the attacker’s new email. I reset the password and gained full control, rendering the victim’s lockdown useless.
Why It’s Dangerous
This was a complete failure of Identity Verification. Meta treated the Account Center link as a “super-session” that was exempt from standard session revocation. The victim is left with a false sense of security; they think the “nuke” worked, but the back door stayed open because the system failed to trigger a re-authentication challenge for sensitive changes.
Resolution
I reported this to Meta, and they have since implemented a fix. Now, any high-risk security action within Account Center (like changing an email or 2FA) triggers a mandatory re-authentication check. The system now properly validates the account’s current security state, ensuring that a linked account can no longer bypass updated credentials.
