it creates a convincing phishing scenario, tricking users into thinking their login attempt failed and that they need to contact the malicious support email.

Why This Demonstrates Significant Risk?

Even though content injection vulnerabilities are often considered out of scope, this report highlights a real phishing risk because:

1. Legitimate Login Flow: By leveraging the legitimate Instagram login page, we added trust to the attack, making it more believable.

2. Post-Login Manipulation: Showing the phishing message after the user successfully logs in creates confusion and makes the user more likely to believe that there’s an issue with their account.

3. Targeting Mobile Users: The attack is particularly dangerous for mobile users who cannot see the full URL and are less likely to detect the manipulation.

if you really read the article you know the issue here but seems you also not aware then join with philip.

security/privacy realated doesn't need always to impact user data, its not a based line where you can base all the "vulnerability", again this the text injection are not the issue here if its out of scope they will not accept it in the first place but as you can see to the timeline they "triaged" of what? for "simple text injection" ? do you think analyst are dump that they don't know its out of scope? i cleary demonstrate the impact thats why they "considered" it as it make "triaged"

the real issue here, after they triaged they fixed the bug then closed as informative because the describe bug are no longer can be reproduce after it tests by another analysts so i asked if they can tracked the changes they made, but they can't provide what happened gets?

next time you can read the full artcle or the main issue here dont be like "philip" who focus on simple text injection.