New Delhi: A security researcher has revealed evidence suggesting that some private Instagram accounts were unintentionally leaking photo links to unauthenticated
visitors. The issue, he says, allowed parts of private profiles to appear in server responses, even when users were not logged in or approved as followers.
Theflaw was reported to Instagram’s parent company, Meta, in October 2025. While the company later patched the behavior, the case was ultimately closed as “not applicable,” with Meta stating the vulnerability could not be reproduced at the time of review.
Private profiles exposed through backend responses
The findings were shared by security researcher Jatin Banga, who showed that certain private accounts on Instagram were returning direct links to photos and captions inside the page’s HTML source.
On the surface, affected profiles still showed the standard message that the account was private. But when viewed from specific mobile devices while logged out, parts of the backend response included encoded CDN links to images that should have remained restricted. In Banga’s controlled tests, about 28% of private accounts he had permission to examine returned private photo links and captions.
He described the problem as a server-side authorization failure. According to Banga, Instagram’s systems were populating responses before properly verifying access rights. Meta initially attributed the behavior to a CDN caching issue, a claim the researcher strongly disputed.
Meta patched the issue, then closed the report
Banga says he first alerted Meta on October 12, 2025. After several days of exchanges and a follow-up report, the exploit stopped working around October 16. However, Meta later closed the case, saying it could not reproduce the issue and suggesting the fix may have been an unintended side effect of other changes.
“The standard disclosure window is 90 days,” Banga said in correspondence. “I gave Meta 102 days and multiple escalation attempts.” He added that without confirmation from Meta, there is no certainty the root cause was fully addressed.
Banga also clarified why the issue could not be captured by public archiving tools. He said services like the Wayback Machine do not send the specific mobile user-agent and headers required to trigger the leak, making independent verification difficult.
Researcher pushes for transparency, not rewards
The researcher emphasized that he was not pursuing a bug bounty. Instead, he said his goal was accountability and openness around a serious privacy lapse. He also noted that it remains unclear how long the flaw may have existed or whether it was exploited in the wild.
Additional evidence was shared with BleepingComputer, which attempted to obtain comment from Meta multiple times ahead of publication. The company did not respond.
Banga maintains that Meta quietly fixed a critical privacy issue within days of his report, but declined to formally acknowledge it. “That reluctance to investigate and explain the root cause is the real problem,” he said.
