Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated.
Swinnen has taken advantage of Instagram‘s option to link a mobile phone number to an account in order to earn money. After several unsuccessful SMS requests from Instagram to verify the link by using a token, the service will place a call that lasts some 17 seconds to the number.
Instagram didn’t notice the real nature of the provided number, nor did it notice when the same number was provided/tied with 100 Instagram accounts. The service did limit how often the call could be replayed (once every 30 seconds), but they could be easily scheduled to happen with such a pause in between.