Key Takeaways
- A critical server-side vulnerability in Instagram’s infrastructure allowed unauthenticated attackers to access private photos and captions without a login or follower relationship.
- The vulnerability was patched silently by Meta in October 2025, but the company did not acknowledge the specific flaw or provide a root cause analysis.
- The vulnerability relied on a specific configuration of HTTP headers to bypass privacy controls on the mobile web interface, and approximately 28% of authorized test accounts were vulnerable.
- The disclosure has drawn criticism for Meta’s handling of the bug bounty program and the lack of transparency in their security processes.
- The full technical analysis, network logs, and a Python PoC script have been released on GitHub to facilitate peer review and validation of the findings.
Introduction to the Vulnerability
A critical server-side vulnerability in Instagram’s infrastructure has been discovered, which allowed unauthenticated attackers to access private photos and captions without a login or follower relationship. This vulnerability was reported by security researcher Jatin Banga, who disclosed the issue this week. The vulnerability relied on a specific configuration of HTTP headers to bypass privacy controls on the mobile web interface, and it is estimated that approximately 28% of authorized test accounts were vulnerable.
The Polaris Exploit Mechanism
The vulnerability stemmed from a failure in Instagram’s server-side authorization logic, rather than a simple caching error. Banga discovered that sending an unauthenticated GET request to instagram.com/ with specific mobile user-agent headers triggered a response containing the polaris_timeline_connection JSON object. Under normal circumstances, this object should be empty or restricted for private accounts viewed by non-followers. However, for affected accounts, the server returned a full edges array containing direct Content Delivery Network (CDN) links to private media and their associated captions.
Exploit Workflow
The exploit workflow involved several steps. First, the attacker would send a header-manipulated GET request to a private profile. The server would then return HTML with embedded JSON data, which would be parsed to locate the edges array. Finally, the attacker could access high-resolution images and post details via the exposed CDN URLs. This "conditional" bug did not affect every account, and the specific backend state or "corrupted" session handling required to trigger the leak is still unclear.
Timeline of a Silent Patch
The disclosure outlines a contentious 102-day interaction with Meta’s bug bounty program. Banga submitted the initial report on October 12, 2025, including a Proof-of-Concept (PoC) script and video evidence. After an initial rejection claiming the issue was CDN caching, Meta requested specific vulnerable accounts for verification. On October 14, Banga provided a consenting third-party account (its_prathambanga) where the exploit was successfully reproduced. However, two days later, on October 16, the exploit ceased to function across all previously vulnerable accounts, indicating a server-side patch had been deployed. Despite the silent patch, Meta officially closed the report on October 27 as "Not Applicable," stating they were "unable to reproduce" the issue.
Criticism and Response
The closure has drawn criticism for its lack of root cause analysis. Without acknowledging the specific flaw, it remains unclear whether the underlying authorization failure was permanently resolved or merely obscured by a configuration shift. Banga has released the full technical analysis, network logs, and a Python PoC script on GitHub to facilitate peer review and validation of the findings. "A conditional bug that exposes some accounts but not others is arguably more dangerous than one that affects everyone," Banga noted in his report. "Dismissing it with ‘infrastructure changes’ doesn’t inspire confidence." The incident highlights the importance of transparency and thoroughness in security processes, particularly when it comes to bug bounty programs and vulnerability disclosures.
Conclusion and Implications
The discovery of this critical server-side vulnerability in Instagram’s infrastructure highlights the importance of robust security measures and transparent bug bounty programs. The fact that the vulnerability was patched silently by Meta without acknowledging the specific flaw or providing a root cause analysis raises concerns about the company’s security processes. The release of the full technical analysis and PoC script on GitHub will allow independent security researchers to examine the artifacts and validate the findings, which will help to ensure that the vulnerability is fully understood and addressed. Ultimately, this incident serves as a reminder of the need for continuous vigilance and transparency in the pursuit of security and privacy.
