Meta’s Instagram and Facebook iOS apps open external links in an in-app browser instead of Safari, enabling them to inject custom JavaScript code into every website you visit using the in-app browser.

In a long, amusingly written blog post, the hacker known as “Alex” outlines how he discovered former Australian prime minister Tony Abbott’s passport number and phone number from an ill-advised Instagram post, got Qantas to fix the security hole, and avoided going to jail.