Keeping Your Posts Private On Instagram? Alert! Hackers Can Access Them With This Trick

A critical vulnerability found on Instagram has exposed a flaw that can be used by attackers to get their hands on the private photos and captions without a login or even following the individual. The

same has been confirmed by security researcher Jatin Banga, and the vulnerability was patched by Meta in October 2025, which depended on a specific configuration of HTTP headers to bypass privacy controls on the mobile web interface.The Instagram vulnerability emerged from a failure in Instagram's server side authorization logic. Banga revealed that sending an unauthorised GET request to instagram.com/ with specific mobile user-agent headers triggered a response containing the polaris_timeline_connection JSON object.Now, in a regular environment, the mentioned object should be empty or restricted for private accounts viewed by non-followers. Nonetheless, for all the affected accounts, the server returned a full edges array containing direct Content Delivery Network (CDN) links to private media and their associated captions.Using Instagram, Facebook, WhatsApp? You Will Soon Have To Pay For Advanced Features One thing to note here is that this conditional bug had not compromised all the accounts in the app. At the time of testing, around 28 percent of authorised test accounts were vulnerable, and a lot of them returned secure responses, pointing towards a particular backend state or 'corrupted' session handling was required to initiate the leak.Banga submitted the first report on October 14, 2025, after successfully reproducing the exploit on a third-party account. And just a couple of days later, Meta launched a silent patch to fix the issue. Meta closed the report on October 27, 2026, as Not Applicable. Meta's security team said that the fix may have been an unintended side effect of other infrastructure changes. Banga said, 'A conditional bug that exposes some accounts but not others is arguably more dangerous than one that affects everyone. Dismissing it with ‘infrastructure changes’ doesn’t inspire confidence.’