The discovery was made by chance: while browsing the mobile web version of Instagram, Jatin Banga noticed that the contents of some private profiles were visible without any authorization.
By analyzing the data traffic, he identified the cause in a backend vulnerability: by sending a simple unauthenticated GET request to a private profile , the server returned an HTML file containing a JSON object called polaris_timeline_connection .
This object included direct links to Instagram’s CDN , allowing full-resolution photos and videos to be displayed. The issue wasn’t related to caching, but rather a critical server failure to verify access permissions before sending sensitive data in the page’s code.
Banga conducted targeted tests on accounts he owned or those of people who had consented to it, finding that the vulnerability was intermittent .
Not all private profiles were exposed: the bug only manifested itself when the account was in an “abnormal” server state, making the flaw difficult to detect but extremely dangerous.
On October 12, 2025 , Banga submitted a detailed report to Meta’s Bug Bounty program, attaching Python scripts and video evidence. Despite the documentation, Meta initially struggled to reproduce the bug, closing the report.
Banga had to persist, providing additional network logs and demonstrating that the problem lay in server-side permission checking and not in expected application behavior.
On October 16, 2025 , Banga confirmed that the bug had been fixed: GET requests no longer returned private data. However, Meta handled the case with little transparency. Only on November 11 did the company officially respond, declaring the bug “Not Reproducible” and closing the report as “Not Applicable” (thus denying the financial reward).
Meta’s response: “The fact that a non-reproducible issue has been fixed doesn’t change the fact that it wasn’t reproducible at the time. Even if the issue were reproducible, it’s possible that a change was made to fix a different issue, and that issue was fixed as an unintended side effect.”
Meta attributed the bug’s disappearance to generic “infrastructure changes,” ignoring the evidence provided by the researcher. Banga then went public with the story to highlight the risks associated with “conditional bugs” and criticize the security practices of platforms hosting billions of people’s sensitive data.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
