Cyber: Researcher Reveals Evidence Of Private Instagram Profiles Leaking...

A security researcher has published detailed evidence showing that some Instagram private profiles returned links to user photos to unauthenticated visitors.

Instagram's private account feature is designed to restrict photos, videos, stories, and reels to approved followers. However, the researcher's findings show that, in certain cases, private profile content was embedded in publicly accessible server responses.

According to the researcher, Meta fixed the issue after his report was submitted but later closed it as "not applicable," stating the vulnerability could not be reproduced.

Security researcher Jatin Banga has recently demonstrated how certain private Instagram profiles were leaking links to private photos from these accounts—in the HTML response body itself.

When accessed by an unauthenticated user from certain mobile devices, private Instagram profiles (such as the researcher-created https://instagram.com/jatin.py) display the standard message: "This account is private. Follow to see their photos and videos."

However, in the HTML source code for affected profiles, links to some private photos as well as captions were embedded in the page response.

In Banga's example, the polaris_timeline_connection JSON object returned in the HTML contained encoded CDN links to photos that should not have been accessible.

The video proof-of-concept (PoC) shared by Banga and embedded below demonstrates the data leak vulnerability in action.

By limiting the formal testing to private test profiles Banga had created or had explicit permission to use, he found that at least 28% of these accounts were returning captions and links to private photos:

The researcher states that he shared his findings with Instagram's parent company, Meta, as early as October 12, 2025.

Source: BleepingComputer