I just noticed with Instagram, what you can do is:
- From the logged in Instagram app, change your email address. This will send a verification link to the new email address.
- Verifiying the email address requires you to log in when you click the link.
- From any log in screen (desktop browser or smartphone app), you can ask to reset your password using the new email address before you've verfied the email address.
- This will send a reset link to the new email address, which you can use to reset the password, and then verify the new address.
So this requires that you already have access to the persons logged in instagram account (eg if they leave their phone lying around).
Is this a serious security issue or do you assume that accessing someone's phone is already the security breach?
More details here: https://thingsdavidhaslost.wordpress.com/2015/06/01/access-to-his-instagram-account/