CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Instagram Private Profile Data Leak via Server-Side Authorization Failure

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Security researcher Jatin Banga discovered that some Instagram private profiles leaked links to private photos in HTML responses to unauthenticated users. The issue, which affected at least 28% of tested profiles, was reportedly fixed by Meta but dismissed as "not applicable" due to unreproducibility. The leak occurred due to a server-side authorization failure, not a CDN caching issue. The researcher provided extensive evidence, including a proof-of-concept video and GitHub documentation, but Meta did not acknowledge the root cause or provide a detailed resolution. Meta initially classified the issue as a CDN caching problem, but the researcher disputed this. Despite multiple requests for comment, Meta did not respond to BleepingComputer.

Timeline

  1. 31.01.2026 16:27 2 articles · 23h ago

    Instagram Private Profile Data Leak via Server-Side Authorization Failure

    Security researcher Jatin Banga discovered that some Instagram private profiles leaked links to private photos in HTML responses to unauthenticated users. The issue, which affected at least 28% of tested profiles, was reportedly fixed by Meta but dismissed as "not applicable" due to unreproducibility. The leak occurred due to a server-side authorization failure, not a CDN caching issue. The researcher provided extensive evidence, including a proof-of-concept video and GitHub documentation, but Meta did not acknowledge the root cause or provide a detailed resolution. Meta initially classified the issue as a CDN caching problem, but the researcher disputed this. Despite multiple requests for comment, Meta did not respond to BleepingComputer.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and Triofox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw affects nine organizations so far. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab

Critical Azure Entra ID Vulnerability Exposes Cross-Tenant Access Risks

A critical elevation of privilege (EoP) vulnerability in Azure Entra ID (formerly Azure Active Directory) could have allowed unauthorized access to virtually any Entra ID tenant. The flaw, tracked as CVE-2025-55241, stems from an authentication failure in the Azure AD Graph API, enabling the creation of impersonation tokens for cross-tenant access. The vulnerability was discovered in July 2025 and addressed over the summer, with no evidence of exploitation in the wild. The flaw highlights significant security gaps in Azure's authentication stack, particularly around undocumented 'Actor' tokens used for backend service-to-service communications. These tokens lack essential security controls, such as revocation capabilities, conditional access policies, and visibility, making them highly dangerous. The Azure AD Graph API, despite being scheduled for deprecation, is still used by many Microsoft applications, underscoring the broader implications of this vulnerability. The flaw was reported to Microsoft on July 14, 2025, and the company confirmed that the problem was resolved nine days later. The vulnerability has been assigned the maximum CVSS score of 10.0. It allowed impersonation of any user, including Global Administrators, across any tenant. The flaw could bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trace. The flaw was addressed by Microsoft as of July 17, 2025, requiring no customer action. The Azure AD Graph API has been officially deprecated and retired as of August 31, 2025.

Open in new tab