Home Cyber Security News An Instagram Vulnerability Could Allow Viewing Users’ Private, Archived Posts

An Instagram Vulnerability Could Allow Viewing Users’ Private, Archived Posts

by Abeerah Hashim
Instagram vulnerability private posts

A serious security vulnerability in the Instagram platform potentially exposed users’ private posts and stories to non-following users. Following the bug report, Facebook fixed the flaw and awarded a hefty bounty to the researcher.

Instagram Vulnerability Exposed Private, Archived Posts

Security researcher Mayur Fartade found a security flaw affecting Instagram users. The vulnerability allowed anyone to view the private and/or archived posts and stories of other Instagram users without following.

Sharing the details in a post, the researcher explained that anyone with the “media ID” for the target media could view the content. This may include viewing archived or private photos, videos, and more.

And it wasn’t all about knowing the media ID. Rather an adversary could also brute force the ID, hence, accessing more details.

As described in the post,

An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.
Details include like/comment/save count, display_url, image.uri, Facebook linked page (if any) and other.

Besides the media ID, the researcher also found a similar vulnerability with another endpoint, “doc ID”.

Fartade has also explained the steps to reproduce the exploit in the blog post.

Facebook Fixed The Bug; Awarded $30000

Upon discovering the bug, the researcher reported the matter to Facebook on April 16, 2021. After some back-and-forth messages, the discovery of another vulnerable endpoint on April 23, 2021, and the related communication, Facebook eventually addressed the matter on April 29, 2021.

However, the researcher observed found it an incomplete fix. Hence, it took some more time for the tech giant to fix the bug.

Finally, in June 2021, Facebook patched the bug that the researcher also confirmed. Moreover, for the bug report, the very first from Fartade to Facebook, the tech giant awarded a $30,000 bounty.

Hence, Instagram users are seemingly safe from potential exploits in this regard.

Let us know your thoughts in the comments.

You may also like

1 comment

Lucky Maurya June 25, 2021 - 2:26 pm

Indian Hackers Is Now Rising 😂

Comments are closed.

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid