The discovery

Security researcher Jatin Banga found a server-side vulnerability in Instagram's infrastructure that allowed unauthorized access to private content. The flaw, silently fixed by Meta in October 2025, was only made public in January 2026.

How the attack worked

The vulnerability lay in how Instagram's servers handled requests for media content. An attacker could exploit this weakness to completely bypass access controls, gaining the ability to:

  • View photos posted on private accounts
  • Read captions attached to posts
  • Access content with no relationship to the account owner

The most serious aspect was the total absence of authentication requirements. There was no need to log in, nor to be a follower of the target account. Any user, even a completely anonymous one, could potentially access private material.

Privacy impact

The severity of this vulnerability stems from the very nature of private accounts on Instagram. Users who set their profile to private do so expecting that only approved followers can see their content. A flaw of this kind completely undermines that protection.

No details have been disclosed about any exploitation of the vulnerability before the patch, nor about how many accounts may have been exposed.

Meta's response

Meta applied a fix in October 2025, without issuing any public communication. This practice, known as "silent patching", is common among large platforms when dealing with already-resolved vulnerabilities. The researcher's responsible disclosure only happened after confirming the fix had been deployed.

Technical considerations

Server-side vulnerabilities that allow authentication bypass are among the most critical categories in web application security. In this specific case, the problem likely lay in server-side authorization logic, where visibility permission checks weren't being correctly applied for certain endpoints or request types.

This kind of flaw underscores the importance of implementing access controls at multiple layers and regularly subjecting infrastructure to thorough security testing.