A previously undetected security flaw on Instagram briefly put private photos and captions of some users at risk. The bug allowed access without logging in or even following the account. This vulnerability, discovered by independent security researcher Jatin Banga, has since been fixed by Meta Platforms.
According to Banga, the issue came from a weakness in Instagram’s server-side authorization checks on its mobile web interface. Under specific conditions, a carefully crafted web request, combined with particular mobile browser headers, could retrieve data that are meant to be restricted to private accounts.
Instead of blocking access, Instagram’s servers sometimes returned backend data. It included direct links to private photos and videos hosted on Meta’s content delivery network and their captions. This did not even require the requester to be logged in.
Also Read: Instagram Refutes Data Breach Claims, Confirms User Accounts Remain Safe
The flaw did not affect all private profiles. During testing, around 28 percent of sampled private accounts were found to be vulnerable, while the rest behaved as expected.
This inconsistent behavior made the issue harder to detect and potentially more dangerous. It suggested the problem was tied to specific backend states or session-handling conditions rather than a platform-wide bug.
Banga first reported the vulnerability to Meta on October 14, 2025, after discovering it through his work on a third-party account. Meta created a solution within the first few days after the discovery of the problem.
The company later closed the report, stating that the issue had been resolved as part of broader infrastructure updates rather than through a targeted patch.
The flaw is no longer exploitable, according to current assessments; the problem handling process has become Banga’s main area of concern. He believes that developers should better identify and resolve bugs that affect only specific users.
The incident shows how private social media settings do not provide complete protection since platform security depends on independent researchers who monitor systems to detect security threats, something that automated systems cannot identify.