In Second method, hacker Hijacks the Instagram accounts using the Facebook OAuth Dialog. "When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place. I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter."
Here attacker can use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id to steal the access_token of victim's account.
Old Finding by Nir: