Instagram private profile photo leak claimed by researcher

Per Bleeping Computer, a security researcher has claimed to discover a significant privacy issue affecting Instagram, where links to private photos were accessible to unauthenticated users.

Security researcher Jatin Banga said that certain private Instagram profiles, when accessed from specific mobile devices, embedded links to private photos and their captions within the HTML response. This reportedly occurred despite the profile being set to private, which should restrict content to approved followers. Banga's proof-of-concept demonstrated that a JSON object within the HTML response contained encoded CDN links to these private images. He reported that approximately 28% of the private test profiles he examined exhibited this flaw. Banga shared his findings with Meta on October 12, 2025. He stated that Meta initially classified it as a CDN caching issue, which he disputed, arguing it was a server-side authorization failure. After further communication, Meta reportedly closed the issue as "not applicable" around October 16, 2025, though the exploit ceased working.

While Meta stated the issue was not reproducible, the researcher maintains it was patched, albeit without acknowledgment of the root cause.

Source: Bleeping Computer