A security researcher has published detailed evidence showing that some Instagram private profiles returned links to user photos to unauthenticated visitors.
Instagram's private account feature is designed to restrict photos, videos, stories, and reels to approved followers. However, the researcher's findings show that, in certain cases, private profile content was embedded in publicly accessible server responses.
According to the researcher, Meta fixed the issue after his report was submitted but later closed it as "not applicable," stating the vulnerability could not be reproduced.
Private Instagram profiles leaking photos
Security researcher Jatin Banga has recently demonstrated how certain private Instagram profiles were leaking links to private photos from these accounts—in the HTML response body itself.
When accessed by an unauthenticated user from certain mobile devices, private Instagram profiles (such as the researcher-created https://instagram.com/jatin.py) display the standard message: "This account is private. Follow to see their photos and videos."
A sample private Instagram profile when accessed by an unauthenticated user
However, in the HTML source code for affected profiles, links to some private photos as well as captions were embedded in the page response.
In Banga's example, the polaris_timeline_connection JSON object returned in the HTML contained encoded CDN links to photos that should not have been accessible.
HTML source code returning links to private photos
... continue reading