Researcher Finds Instagram Bug That Exposed Photos From Private Accounts

CyberDefender 4 mins0

Security researcher, released detailed evidence showing that in certain cases Instagram’s servers were exposing direct links to photos from private accounts. These links appeared in the page’s HTML without requiring user authentication. In simple terms, someone who wasn’t logged in — or wasn’t approved to follow the account — could still stumble upon URLs leading to private images.

How the leak worked

Under normal circumstances, Instagram’s private profiles are meant to act as a hard wall. Photos, reels, and stories should only be visible to people the account owner has approved.

Banga found that this wasn’t always happening. In the HTML source code of some private profiles, Instagram was embedding links to photos and captions that outsiders shouldn’t have been able to see. These links appeared inside a JSON object called polaris_timeline_connection, which was being returned by Instagram’s servers even when access should have been blocked.

What the researcher demonstrated

The exposed data included direct image URLs pointing to private photos, despite the viewer having no permission to access the account.

This strongly suggests a flaw in Instagram’s server-side logic — not just a cosmetic front-end bug or a browser caching issue. In other words, the problem was deeper than how the page was displayed.

Meta’s response

Meta, Instagram’s parent company, appears to have quietly fixed the issue around October 2025 after the report surfaced. However, the response raised eyebrows:

  • The bug report was reportedly closed as “not applicable,” with Meta claiming the issue could not be reproduced.
  • Users were not publicly informed, even though the issue involved potential exposure of private content.

What this means for users

While the issue seems to be resolved, it highlights some uncomfortable realities:

  • “Private” doesn’t always mean completely private if backend systems fail.
  • Platforms may fix serious privacy issues without clearly notifying users who could have been affected.

The bigger privacy picture

This incident fits into a broader pattern across social media and online platforms:

  • Previous bugs and third-party tools have accidentally exposed private photos or links.
  • APIs and backend systems on major platforms have repeatedly leaked sensitive data due to misconfigurations or logic errors.

CyberDefender