A critical server-side vulnerability in Instagram’s infrastructure allowed unauthenticated attackers to access private photos and captions without a login or follower relationship, according to a disclosure released this week by security researcher Jatin Banga.
The vulnerability, which was reportedly patched silently by Meta in October 2025, relied on a specific configuration of HTTP headers to bypass privacy controls on the mobile web interface.
The “Polaris” Exploit Mechanism
The vulnerability stemmed from a failure in Instagram’s server-side authorization logic rather than a simple caching error. Banga discovered that sending an unauthenticated GET request to instagram.com/
Under normal circumstances, this object should be empty or restricted for private accounts viewed by non-followers. However, for affected accounts, the server returned a full edges array containing direct Content Delivery Network (CDN) links to private media and their associated captions.
Exploit Workflow:
- Request: Attacker sends a header-manipulated GET request to a private profile.
- Response: Server returns HTML with embedded JSON data.
- Extraction: The polaris_timeline_connection object is parsed to locate the edges array.
- Access: High-resolution images and post details are accessed via the exposed CDN URLs.
This “conditional” bug did not affect every account. In testing, approximately 28% of authorized test accounts were vulnerable, while others returned secure responses, suggesting a specific backend state or “corrupted” session handling was required to trigger the leak.
Timeline of a Silent Patch
The disclosure outlines a contentious 102-day interaction with Meta’s bug bounty program. Banga submitted the initial report on October 12, 2025, including a Proof-of-Concept (PoC) script and video evidence.
After an initial rejection claiming the issue was CDN caching, Meta requested specific vulnerable accounts for verification. On October 14, Banga provided a consenting third-party account (its_prathambanga) where the exploit was successfully reproduced.
Two days later, on October 16, the exploit ceased to function across all previously vulnerable accounts, indicating a server-side patch had been deployed. However, Meta provided no notification of the fix.
Despite the silent patch, Meta officially closed the report on October 27 as “Not Applicable,” stating they were “unable to reproduce” the issue.
When challenged about the contradiction, asking for vulnerable accounts and then fixing them, Meta’s security team responded that the fix may have been an “unintended side effect” of other infrastructure changes.
The closure has drawn criticism for its lack of root cause analysis. Without acknowledging the specific flaw, it remains unclear whether the underlying authorization failure was permanently resolved or merely obscured by a configuration shift.
Banga has released the full technical analysis, network logs, and a Python PoC script on GitHub to facilitate peer review. The release invites independent security researchers to examine the artifacts and validate the findings.
“A conditional bug that exposes some accounts but not others is arguably more dangerous than one that affects everyone,” Banga noted in his report. “Dismissing it with ‘infrastructure changes’ doesn’t inspire confidence”.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
