What happened
A security researcher has published evidence showing that some private Instagram profiles were returning links to private photos in server responses accessible without authentication. The researcher, Jatin Banga, demonstrated that the HTML source of certain private Instagram accounts contained embedded links and captions pointing to photo content that should have been restricted to approved followers. In tests conducted with private test accounts, a JSON object in the HTML response included encoded CDN URLs for private photos. The exposure occurred when profiles were accessed from certain mobile devices, causing private photo links to be included in server responses. Meta later fixed the issue after the report was submitted, though it closed the report as “not applicable,” stating the vulnerability could not be reproduced.
Who is affected
Users with private Instagram accounts had links to their private photos embedded in server responses, exposing caption and photo metadata to unauthenticated viewers under specific conditions.
Why CISOs should care
The incident demonstrates how authorization failures in widely used consumer platforms can unintentionally expose private user content through backend responses.
3 practical actions
- Review API response handling. Examine authorization checks in HTML and API responses for sensitive content exposure.
- Monitor third-party platform disclosures. Track reported issues affecting major consumer services used by employees.
- Assess data exposure risks. Identify internal systems where backend responses could unintentionally leak restricted content.