A recently disclosed vulnerability within Instagram’s core infrastructure has raised significant questions about the platform’s privacy safeguards, revealing that private photos and their captions could be accessed by unauthenticated attackers without needing a login or an approved follower relationship. A security researcher, Jatin Banga, brought the critical server-side issue to light, demonstrating a method that could bypass the privacy controls intended to protect user content. The flaw, which was reportedly patched by Meta in October 2025, did not rely on a simple caching error but rather on a specific configuration of HTTP headers sent to the mobile web interface. This exploit allowed unauthorized individuals to retrieve direct links to high-resolution media from private accounts, undermining the fundamental expectation of privacy that users have when they set their profiles to “private.” The discovery and subsequent handling of the report by Meta have sparked a debate within the cybersecurity community about transparency and the effectiveness of bug bounty programs in addressing complex, conditional vulnerabilities.
1. Anatomy of the Polaris Exploit
The vulnerability’s root cause was identified as a profound failure in Instagram’s server-side authorization logic, a far more serious issue than a transient caching problem. The researcher, Jatin Banga, found that by sending a carefully crafted unauthenticated GET request to a private user’s profile URL (instagram.com/), the server could be tricked into revealing sensitive information. The key to this exploit was the manipulation of HTTP headers to mimic a mobile user-agent. This specific request triggered a server response containing a JSON object named polaris_timeline_connection. Under normal, secure circumstances, this object should be empty or severely restricted when a non-follower attempts to view a private account. However, for a subset of vulnerable accounts, the server erroneously returned a full edges array within this object. This array contained direct Content Delivery Network (CDN) links to the private account’s media files, along with their associated captions and other post details, effectively nullifying the account’s privacy settings.
The workflow for exploiting this flaw was alarmingly straightforward for a technically proficient attacker. The process began with the attacker sending the header-manipulated GET request to a targeted private profile. The Instagram server would then respond with the page’s HTML, which crucially contained the embedded JSON data. From there, the attacker would parse the polaris_timeline_connection object to locate the edges array, which held the trove of private data. The final step involved using the exposed CDN URLs to directly access and download high-resolution images and view post details, all without ever being authenticated or approved as a follower. It is important to note that this was a “conditional” bug; it did not affect every private account on the platform. During testing, approximately 28% of the authorized test accounts were found to be vulnerable, while the majority returned secure, empty responses. This suggests that a specific, and as yet unknown, backend state or a form of “corrupted” session handling was a prerequisite for the data leak to occur, making the flaw both inconsistent and difficult to detect.
2. A Controversial Bug Bounty Interaction
The disclosure of the vulnerability was preceded by a contentious 102-day interaction with Meta’s bug bounty program, a process that has drawn criticism for its lack of transparency. Jatin Banga submitted the initial detailed report on October 12, 2025, providing a comprehensive Proof-of-Concept (PoC) script and video evidence to substantiate his findings. The initial response from Meta’s security team was a rejection, with the team attributing the issue to a less severe CDN caching problem. Unsatisfied with this assessment, Banga persisted, leading Meta to request the specific details of vulnerable accounts for their own verification. On October 14, Banga complied, providing a consenting third-party account where the exploit could be reliably and successfully reproduced. This step was crucial in demonstrating that the flaw was not a fluke but a repeatable security failure affecting real users. The timeline that followed raised further questions about the handling of the report.
Just two days after the researcher provided the vulnerable account details, on October 16, the exploit suddenly ceased to function across all previously affected accounts. This strongly indicated that a server-side patch had been deployed, neutralizing the threat. However, Meta did not provide any notification or confirmation of this fix to the researcher. The situation escalated when, on October 27, Meta officially closed the report with the status “Not Applicable,” claiming they were “unable to reproduce” the issue—a statement that directly contradicted their earlier request for a vulnerable account to do just that. When challenged on this inconsistency, Meta’s security team suggested that the fix might have been an “unintended side effect” of other unrelated infrastructure changes. This explanation was met with skepticism, as it avoided a direct acknowledgment of the flaw and failed to provide a root cause analysis, leaving the security community to wonder if the underlying authorization failure was truly resolved or merely obscured by a temporary configuration shift.
The Lingering Questions of a Silent Fix
The resolution of this security incident left behind a trail of unresolved issues and concerns regarding corporate transparency. The handling of the disclosure highlighted the inherent dangers of conditional bugs, which, by affecting only a subset of users, can be more difficult to track and are arguably more insidious than vulnerabilities that impact an entire user base. Dismissing such a significant privacy leak as the result of coincidental “infrastructure changes” failed to inspire confidence in the robustness of the bug bounty process. This response sidestepped a crucial root cause analysis, which is essential for ensuring that similar authorization flaws do not reappear elsewhere in the platform’s complex architecture. The lack of a clear acknowledgment from Meta meant that the core vulnerability was never publicly detailed by the company, leaving users and researchers in the dark about the true nature and scale of the risk they had faced. In response to this perceived lack of transparency, the researcher took the step of releasing the full technical analysis, complete with network logs and a functional Python PoC script, to a public repository to facilitate peer review and independent validation of the findings.
