A security firm is advising Instagram for iOS users to update to version 6.0.4 or later of the app to avoid leaving their Facebook accounts vulnerable to attack.  

IOActive revealed that a bug in the app could allow an attacker to steal Facebook access tokens and impersonate victims or access their personal data on the social networking site.

Security consultant Ariel Sanchez said that he discovered the issue while intercepting traffic from his smartphone in an experiment to “see what it was sending.” He found that plain text communications containing a user’s Facebook access token were sent while using the app’s “Facebook Friends” button, which helps Instragram users “follow” people they know on Facebook.

IOActive noted that individuals using Instagram on public Wi-Fi were vulnerable to being hacked, as their network traffic (and access token) could be sniffed out.