Instagram private profiles server-side authorization failure security flaw
Vulnerability
Summary
Hide ▲
Show ▼
A server-side authorization failure in Instagram private profiles exposed links to private photos in HTML responses, allowing unauthenticated visitors to reach content that should have stayed behind the follower gate. Meta reportedly fixed the issue after a disclosure submitted as early as October 12, 2025, and the exploit stopped working around October 16. The researcher said a proof-of-concept showed the leak and that at least 28% of his private test profiles returned photo links.
Related Happenings
U.S. Supreme Court hit by network compromise
Incident
First: 19.01.2026 18:04
Last: 19.01.2026 18:04
Sources 1
About this happening:
The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...
U.S. Supreme Court hit by network compromise
IncidentAbout this happening: The **U.S. Supreme Court**, **AmeriCorps**, and the **Department of Veterans Affairs** suffered a **stolen-credential** account compromise that exposed restricted systems and sens...
BitB phishing campaign targeting Facebook users
Campaign
First: 12.01.2026 23:05
Last: 12.01.2026 23:05
Sources 1
About this happening:
A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
BitB phishing campaign targeting Facebook users
CampaignAbout this happening: A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
Instagram account profiles leaked online
Data Leak
First: 11.01.2026 21:13
Last: 11.01.2026 21:13
Sources 1
About this happening:
**Instagram account profiles** were **scraped and leaked online**, exposing data from **17,017,213 records** and creating fresh risk of **phishing** and **social engineering**. Th...
Instagram account profiles leaked online
Data LeakAbout this happening: **Instagram account profiles** were **scraped and leaked online**, exposing data from **17,017,213 records** and creating fresh risk of **phishing** and **social engineering**. Th...
Timeline
-
31.01.2026 16:27 1 articles · 3mo ago
Instagram private-profile leak reported to Meta
Initial DisclosureJatin Banga submitted findings to Meta about Instagram private profiles exposing links to private photos in HTML responses when accessed from certain mobile devices.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
-
31.01.2026 16:27 1 articles · 3mo ago
Instagram private-profile leak stops working
Mitigation Patch UpdateThe Instagram private-profile leak stopped working on tested accounts around October 16, 2025 after Meta changed the service, although Meta later closed the case as "not applicable" and did not confirm the root cause.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
-
31.01.2026 16:27 2 articles · 3mo ago
Public evidence documents the Instagram leak
Technical Analysis UpdateDisclosure materials documented a proof-of-concept video, a GitHub repository, encoded CDN links inside the polaris_timeline_connection JSON object, and test results showing at least 28% of private test profiles returned links to private photos; the correspondence also records Meta triage language that an unreproducible issue might have been fixed as an unintended side effect.
Show sources
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27
- Researcher reveals evidence of Instagram private profiles leaking photos — www.bleepingcomputer.com — 31.01.2026 16:27