The flaw stemmed from a server-side authorisation bug that exposed private media via specific mobile web requests.
Security researcher Jatin Banga found that around 28% of tested private accounts were affected under certain backend conditions.
Meta quietly fixed the issue in October 2025, calling it an unintended result of infrastructure changes.
Are you someone who loves to share your memories on Instagram? Then you should definitely read this. A previously undisclosed security flaw on Meta’s photo sharing app put the private photos and captions of some users at risk, allowing access without logging in or even following the account. The issue was found by an independent security researcher Jatin Banga and has since been fixed by Meta.
SurveyAccording to Banga, the flaw resulted from a flaw in Instagram’s server-side authorisation checks on its mobile web interface. Under certain conditions, a well-crafted web request combined with specific mobile browser headers could retrieve data that should have been restricted to private accounts.
Instead of restricting access, Instagram’s servers occasionally returned detailed backend data that included direct links to private images and videos hosted on its content delivery network, as well as their captions. This behaviour was inconsistent and did not affect all private profiles, making the flaw more difficult to detect and potentially dangerous.
Also read: Meta faces lawsuit over alleged access to private WhatsApp messages
As per the reports, during the testing, around 28 per cent of sampled private accounts were susceptible while others behaved as expected and remained protected. This selective exposure suggested the issue was tied to a particular backend state or session handling problem rather than a universal flaw across the platform.
Interestingly, the flaw was first reported to Meta on October 14, 2025, after being discovered on a third-party account. Within days, the company quietly implemented a fix. Meta later closed the report, stating that the vulnerability had been addressed as part of broader infrastructure updates rather than with a specific patch.
The issue appears to be no longer exploitable. However, Banga expressed concern about how it was handled, claiming that bugs affecting only a subset of users are more difficult to detect and mitigate.
Follow Us
Ashish Singh
Ashish Singh is the Chief Copy Editor at Digit. He's been wrangling tech jargon since 2020 (Times Internet, Jagran English '22). When not policing commas, he's likely fueling his gadget habit with coffee, strategising his next virtual race, or plotting a road trip to test the latest in-car tech. He speaks fluent Geek. View Full Profile
