Server-side authorization flaw reportedly exposed private images and captions without authentication
A recently disclosed vulnerability in Instagram reportedly allowed unauthorized access to private account content — including images and captions — without following the account and, in some cases, without even logging in.
The issue was identified by security researcher Jatin Banga, who stated that the flaw originated in server-side authorization logic rather than client-side caching behavior, as initially suggested.
According to the published analysis, the vulnerability could be triggered by sending a crafted GET request to the mobile web version of a private Instagram profile. By manipulating specific HTTP headers and the user-agent string, the server allegedly returned a response containing an object named:
polaris_timeline_connection
This object reportedly included private post data such as images and captions — without proper permission validation.
If accurate, this would represent a direct bypass of Instagram’s privacy enforcement controls at the server level.
Disclosure Timeline
- October 12, 2025 – Vulnerability reported to Meta with proof-of-concept (PoC) script and demonstration video
- Initial response from Meta suggested the issue was related to CDN caching
- Meta later requested test accounts for verification
- October 14 – Researcher provided a private account with owner consent; vulnerability reproduced
- October 16 – The issue reportedly stopped reproducing, suggesting a server-side patch
- October 27 – Meta closed the report as “Not Applicable,” stating they were unable to reproduce the issue
When questioned about the discrepancy, Meta reportedly indicated that the fix may have occurred as a side effect of other infrastructure changes.
Root Cause Concerns
The key concern raised by the researcher is the absence of a clear acknowledgment of the root cause. Without confirmation that the underlying authorization logic was formally corrected, there remains uncertainty whether the issue was fully resolved or simply mitigated indirectly.
The researcher published full technical analysis, network logs, and a Python PoC script on GitHub to enable independent peer review.
A notable observation from the disclosure reads:
“A vulnerability affecting only some accounts can be more dangerous than one affecting all accounts.”
Such selective flaws can be harder to detect, less likely to trigger widespread alerts, and more difficult to monitor at scale.
As of now, no detailed public technical breakdown from Meta has been issued clarifying the exact root cause or scope of exposure.
The case highlights the critical importance of robust server-side authorization controls — particularly for platforms handling sensitive personal content.