Instagram Vulnerability Exposes Private Posts to Unauthorized Access
A significant security flaw within Instagram’s server infrastructure recently came to light, allowing unauthorized individuals to access private photos and captions without the need for login credentials or follower relationships. This vulnerability, identified by security researcher Jatin Banga, was reportedly addressed by Meta in October 2025 without public disclosure.
Understanding the Polaris Exploit Mechanism
The root of this vulnerability was a lapse in Instagram’s server-side authorization processes, rather than a mere caching issue. Banga discovered that by sending an unauthenticated GET request to `instagram.com/
Typically, this object should be empty or restricted when viewed by non-followers of private accounts. However, for certain accounts, the server returned a complete `edges` array containing direct Content Delivery Network (CDN) links to private media and their associated captions.
Exploit Workflow:
1. Request: An attacker sends a GET request to a private profile, manipulating the headers.
2. Response: The server returns HTML embedded with JSON data.
3. Extraction: The `polaris_timeline_connection` object is parsed to locate the `edges` array.
4. Access: High-resolution images and post details are accessed via the exposed CDN URLs.
Notably, this conditional bug did not affect all accounts uniformly. Testing revealed that approximately 28% of authorized test accounts were vulnerable, while others returned secure responses. This suggests that a specific backend state or corrupted session handling was necessary to trigger the leak.
Timeline of the Silent Patch
The disclosure details a 102-day interaction with Meta’s bug bounty program:
– October 12, 2025: Banga submitted the initial report, including a Proof-of-Concept (PoC) script and video evidence.
– October 14, 2025: After an initial rejection citing CDN caching, Meta requested specific vulnerable accounts for verification. Banga provided a consenting third-party account (`its_prathambanga`) where the exploit was successfully reproduced.
– October 16, 2025: The exploit ceased to function across all previously vulnerable accounts, indicating a server-side patch had been deployed. However, Meta provided no notification of the fix.
– October 27, 2025: Meta officially closed the report as Not Applicable, stating they were unable to reproduce the issue.
When questioned about the contradiction—requesting vulnerable accounts and then fixing them—Meta’s security team responded that the fix might have been an unintended side effect of other infrastructure changes.
This closure has drawn criticism for its lack of root cause analysis. Without acknowledging the specific flaw, it remains unclear whether the underlying authorization failure was permanently resolved or merely obscured by a configuration shift.
Banga has released the full technical analysis, network logs, and a Python PoC script on GitHub to facilitate peer review. This release invites independent security researchers to examine the artifacts and validate the findings.
A conditional bug that exposes some accounts but not others is arguably more dangerous than one that affects everyone, Banga noted in his report. Dismissing it with ‘infrastructure changes’ doesn’t inspire confidence.
Implications and Recommendations
This incident underscores the importance of robust server-side authorization mechanisms and transparent communication from platform providers regarding security vulnerabilities.
For Users:
– Stay Informed: Regularly update yourself on security advisories related to the platforms you use.
– Review Privacy Settings: Ensure that your account settings align with your privacy preferences.
– Report Suspicious Activity: If you notice unusual behavior on your account, report it to the platform immediately.
For Developers and Security Professionals:
– Conduct Regular Security Audits: Regularly test and audit your systems for potential vulnerabilities.
– Implement Robust Authorization Checks: Ensure that server-side authorization mechanisms are stringent and regularly updated.
– Foster Transparent Communication: When vulnerabilities are discovered, communicate openly with the affected parties and the broader community.
By taking these steps, both users and developers can contribute to a more secure digital environment.
