A safety researcher has printed detailed proof displaying that some Instagram personal profiles returned hyperlinks to person photographs to unauthenticated guests.
Instagram’s personal account characteristic is designed to limit photographs, movies, tales, and reels to accepted followers. Nonetheless, the researcher’s findings present that, in sure circumstances, personal profile content material was embedded in publicly accessible server responses.
In line with the researcher, Meta fastened the difficulty after his report was submitted however later closed it as “not relevant,” stating the vulnerability couldn’t be reproduced.
Personal Instagram profiles leaking photographs
Safety researcher Jatin Banga has not too long ago demonstrated how sure personal Instagram profiles had been leaking hyperlinks to non-public photographs from these accounts—within the HTML response physique itself.
When accessed by an unauthenticated person from sure cellular units, personal Instagram profiles (such because the researcher-created https://instagram.com/jatin.py) show the usual message: “This account is personal. Observe to see their photographs and movies.”
Nonetheless, within the HTML supply code for affected profiles, hyperlinks to some personal photographs in addition to captions had been embedded within the web page response.
In Banga’s instance, the polaris_timeline_connection JSON object returned within the HTML contained encoded CDN hyperlinks to photographs that ought to not have been accessible.
The video proof-of-concept (PoC) shared by Banga and embedded beneath demonstrates the information leak vulnerability in motion.
By limiting the formal testing to non-public take a look at profiles Banga had created or had specific permission to make use of, he discovered that at the very least 28% of those accounts had been returning captions and hyperlinks to non-public photographs:
Meta quietly fastened the difficulty after report, researcher says
The researcher states that he shared his findings with Instagram’s mother or father firm, Meta, as early as October 12, 2025.
Meta initially categorised the difficulty as a CDN caching downside, a characterization the researcher disputed.
“This wasn’t a CDN caching difficulty — Instagram’s backend was failing to examine authorization earlier than populating the response,” Banga wrote, describing it as a server-side authorization failure.
Banga created a second bug report clarifying the difficulty, however didn’t attain a passable decision with the corporate regardless of a prolonged dialogue spanning days.
In line with the researcher, after repeated exchanges, the case was closed as “not relevant” however the exploit stopped working round October 16.
“The usual coordinated disclosure window is 90 days. I gave Meta 102 days and a number of escalation makes an attempt. The exploit stopped engaged on all accounts I examined — although with out root trigger evaluation from Meta, there is no affirmation the underlying difficulty is really resolved,” he continues.
Along with his disclosure and the GitHub repository documenting in depth proof of the flaw and communications with Meta, Banga shared extra supplies with BleepingComputer to show the existence of the flaw.
We requested Banga why he didn’t archive the take a look at personal profile utilizing a public service just like the Web Archive’s Wayback Machine, which may have preserved the HTML supply code with the hyperlinks to non-public photographs current, thereby indisputably confirming the presence of a bug.
“The Wayback Machine would not ship the particular Cellular Person-Agent and Headers required to set off this server-side leak, so their crawlers could not seize it,” the researcher clarified to BleepingComputer.
Within the printed correspondence, a Meta vulnerability triage analyst wrote:
Finally, throughout the course of the dialog, the analyst is seen stating:
“The truth that an unreproducible difficulty was fastened would not change the truth that it was not reproducible on the time. Even when the difficulty had been reproducible, it is attainable {that a} change was made to repair a distinct difficulty and this difficulty was fastened as an unintended facet impact.”
“I wish to emphasize that I’m not chasing a bounty right here. By going public with this disclosure, I’ve forfeited any probability of a reward,” Banga instructed BleepingComputer through e-mail.
“The aim is transparency. Meta patched a vital privateness leak 48-96 hours after my report however refused to acknowledge it, dismissing it as an ‘unintended facet impact.’ Their negligence and reluctance to research the precise root trigger—regardless of having the logs—is the actual difficulty.”
“No person is aware of how lengthy this has been really exploited for, because it was not so exhausting to seek out.”
BleepingComputer contacted Meta for touch upon three separate events nicely upfront of publication however didn’t obtain a response.
Fashionable IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, learn the way your crew can scale back hidden guide delays, enhance reliability by automated response, and construct and scale clever workflows on high of instruments you already use.
