Instagram Flaw Exposes Private Posts to Anyone

A newly disclosed server-side instagram flaw gave attackers the ability to access private posts and captions without authentication, security researcher Jatin Banga revealed this week. The issue exploited Instagram’s mobile web infrastructure using manipulated HTTP headers and bypassed standard privacy safeguards.

By crafting a GET request with mobile user-agent headers, attackers triggered a JSON response revealing the polaris_timeline_connection object. In vulnerable accounts, this object contained CDN links to private images and accompanying text—data normally hidden unless the viewer was a follower.

Roughly 28% of tested accounts returned exposed content, suggesting the flaw required specific backend states to activate. Meta quietly patched the exploit on October 16, 2025, just days after being alerted, yet later dismissed the report, citing “infrastructure changes” without clarifying the root cause.

Banga released all technical evidence online, urging independent review. He warned that such conditional bugs pose deeper risks than widespread flaws.

Read the full story at https://cybersecuritynews.com/instagram-vulnerability-private-posts/