I released this disclosure today regarding a server-side authorization bypass I found in Instagram.
The Vulnerability: By sending a GET request to [instagram.com/](http://instagram.com/)<private_username> with specific mobile headers, the server returned the full polaris_timeline_connection JSON object containing direct CDN links to private posts, captions, and media. No login or follower relationship was required.
The Timeline & Contradiction:
- Oct 12: I reported the issue, with a video, poc script, and testing on my account [jatin.py](http://jatin.py/) - Oct 14: Meta requested specific vulnerable accounts to test. I provided a consenting third-party account where the POC script successfully extracted 30 private URLs. - Oct 16: The exploit stopped working on the accounts where it was previously working. - Oct 27: Meta closed the report as "Not Applicable," stating they "could not reproduce" the issue and that "no changes were made directly in response".
The Current State: While the exploit no longer functions on the accounts I tested, Meta officially maintains the bug never existed. They attributed the change in behavior to "infrastructure changes" or "unintended side effects".
Without a root cause analysis or acknowledgment from Meta, it is impossible to confirm if the underlying authorization failure was actually patched or if this was an accidental fix that could regress.
The repository contains the POC script poc.py , SHA256 hashes of the video evidence, and the full logs of the communication.