Graham tweeted about the issue: "Denied bug bounty. Next step is to write automated tool enabling mass hijacking of accounts," he wrote. "Pretty serious vuln, FB. please fix."
Instagram co-founder Mike Krieger has responded to issue via the same YCombinator website and said, "We've been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we're actively working on rolling out HTTPS while making sure we don't regress on performance, stability, and user experience. This is a project we're hoping to complete soon, and we'll share our experiences in our eng blog so other companies can learn from it as well."