A server-side vulnerability in Instagram that allegedly allowed completely unauthenticated access to private account posts.
This raises concerns about Meta’s vulnerability disclosure handling and the effectiveness of compensatory controls protecting user privacy.
Technical Overview
According to the disclosure, the vulnerability existed in Instagram’s mobile web interface and required no authentication or follower relationship to exploit.
The attack involved sending an unauthenticated GET request to instagram.com/ with specific mobile headers.
The server responded with HTML containing embedded JSON data structures, specifically the polaris_timeline_connection object, which included CDN links to full-resolution private photos, captions, and other restricted content.
The researcher characterized this as a server-side authorization failure rather than a content delivery network (CDN) caching issue.
Testing across seven authorized accounts revealed the vulnerability affected approximately 28% of tested accounts, though the researcher suggests the actual exploitation rate may be higher based on accidental discovery patterns.
The researcher submitted the initial report to Meta’s bug bounty program on October 12, 2025.
Meta’s first response misclassified the issue as a CDN caching artifact and closed the case. A second report submitted the same day prompted Meta engagement after clarification of the authorization failure nature.
By October 16, 2025, just four days after detailed technical evidence was provided, the vulnerability no longer functioned across all previously vulnerable accounts, indicating that Meta had patched the issue.
However, Meta never explicitly confirmed the fix or acknowledged the vulnerability’s existence.
On October 27, Meta officially responded: “We are unable to reproduce this issue,” despite requesting vulnerable test accounts from the researcher and subsequently patching those exact accounts.
Meta characterized the fix as an unintended consequence of unrelated infrastructure changes rather than a targeted remediation.
The researcher documented the vulnerability with timestamped video evidence, proof-of-concept scripts, before-and-after screenshots, network logs with HTTP headers, and complete Meta correspondence.
All evidence was committed to GitHub with cryptographic integrity verification, preventing retroactive modification.
The disclosure raised three key concerns: Meta declined offered debug data and X-FB-Debug headers for internal tracing, rejected a comparative account analysis dataset for understanding the vulnerability’s conditional nature, and did not conduct visible root cause analysis to confirm permanent remediation.
The researcher, Jatin Banga disclosed publicly after 102 days of coordinated disclosure attempts, exceeding the standard 90-day window.
Instagram serves over one billion users whose account privacy settings depend on backend authorization enforcement, making conditional vulnerabilities affecting unpredictable account subsets particularly dangerous compared to universal exploits.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.