Facebook, Researcher Spar Over Instagram Flaw Disclosure

msm1267 writes: A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network's bug bounty program, but he said, also prompted hints of legal and criminal action, which Facebook has since denied. Wesley Wineberg, a contract employee of security company Synack, said today that he had found some weaknesses in the Instagram infrastructure that allowed him to access source code for recent versions of Instagram, SSL certificates and private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, and keys for more than a half-dozen critical other functions, including iOS and Android app signing keys and iOS push notification keys. Wineberg also accessed employee accounts and passwords, some of which he cracked, and had access to Amazon buckets storing user images and other data prompting claims of user privacy violations from Facebook.

Warning, do not try at home

[phantomfive]

access source code for recent versions of Instagram, SSL certificates and private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, and keys for more than a half-dozen critical other functions, including iOS and Android app signing keys and iOS push notification keys. Wineberg also accessed employee accounts and passwords, some of which he cracked

Warning: if you are going do security research, don't access all that stuff (without permission from the company), it can be completely illegal.
People have literally gone to jail for accessing less than this guy did. Whether you think it should be illegal or not, it is illegal and you should be more careful than he was.