Security researcher Jatin Banga demonstrated that some private Instagram profiles returned embedded links and captions to private photos in the HTML response, exposing them to unauthenticated visitors via a polaris_timeline_connection JSON object. He reported the issue to Meta, which appears to have fixed the behavior within days but later closed the report as “not applicable” without providing a root-cause analysis; #Instagram #Meta
Keypoints
- Researcher found private-profile HTML responses containing encoded CDN links and captions to private photos.
- The leak occurred for unauthenticated users on certain mobile device requests and was visible in the polaris_timeline_connection JSON.
- At least 28% of the private test accounts Banga created returned captions and links to private photos.
- Meta reportedly stopped the exploit 48–96 hours after the report but later closed the case as “not applicable” without root-cause confirmation.
- Banga published proof and communications documenting the flaw but says there’s no definitive confirmation the underlying issue is fully resolved.