Instagram's mobile web interface had a server-side authorization flaw that made it possible for totally unauthenticated users to view private account posts without user consent, follower relationships, or authentication This article explores unauthenticated requests instagram. . After 102 days of coordinated disclosure efforts, security researcher Jatin Banga revealed the vulnerability, which reveals serious flaws in Meta's compensatory security controls and vulnerability handling procedures that safeguard more than one billion Instagram users.

Technical Synopsis Instead of a content delivery network (CDN) caching problem, the vulnerability took advantage of a server-side authorization failure. Using particular mobile headers, attackers sent unauthenticated GET requests to instagram.com/, to which the server replied with HTML that contained embedded JSON data structures. State of Trigger (source: Medium) In particular, the polaris_timeline_connection Without the appropriate authorization checks, the object contained CDN links to full-resolution private photos, captions, and restricted metadata.

The attack only needed the target's username and a simple HTTP client; no follower relationships, special privileges, or authentication credentials were needed. Clain, exposed (source: Medium) Approximately 28% of the seven authorized accounts that were tested had the vulnerability. However, based on unintentional discovery patterns seen during testing, Banga speculates that the true exploitation rate might be higher.

Unlike universal exploits that affect all users equally, the vulnerability's conditional nature that affects unpredictable account subsets made it especially dangerous. On October 12, 2025, Banga sent the first report to Meta's bug bounty program. In its initial response, Meta closed the case without conducting an investigation, misclassifying the problem as a CDN caching artifact.

The same day, Meta received a second clarifying report that clarified the authorization failure and distinguished it from network-layer problems. The vulnerability stopped working on all previously vulnerable accounts by October 16, just four days after comprehensive technical evidence was presented, suggesting Meta had fixed the problem. Crucially, Meta never formally acknowledged the existence of the vulnerability or confirmed the fix.

Despite asking Banga for vulnerable test accounts and patching those exact accounts, Meta's official response on October 27 was, "We are unable to reproduce this issue." Meta questioned whether long-term security measures were put in place, characterizing the remediation as an unintended consequence of unrelated infrastructure changes rather than targeted bug fixes.

Timestamped video proof-of-concept, complete HTTP network logs with headers, before-and-after screenshots, and complete Meta correspondence are just a few of the extensive pieces of evidence that Banga used to document the vulnerability. In order to avoid retroactive modification or accusations of mischaracterization, all materials were committed to GitHub with cryptographic integrity verification. Meta's response raised three serious issues: it refused to provide debug data and X-FB-Debug headers for internal tracing, rejected a comparative account analysis dataset to comprehend vulnerability conditions, and failed to perform visible root cause analysis to verify long-term remediation.

These rejections made it impossible to independently confirm that the problem had been fully resolved. Over a billion users of Instagram rely solely on backend authorization enforcement for their account privacy settings.

Because they allow targeted attacks against specific users while remaining challenging to detect at scale, conditional vulnerabilities affecting unpredictable account subsets present unique risks. Banga's public disclosure after going beyond the customary 90-day coordinated disclosure window highlights dissatisfaction with Meta's contemptuous handling of a serious privacy breach, lack of recognition of the vulnerability's existence, and inadequate transparency regarding remediation efforts. The event serves as an example of why, in situations where organizational responses lack accountability or transparency, security researchers should thoroughly document vulnerabilities and preserve the cryptographic integrity of evidence.