This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them

I am Mayur Fartade from Maharashtra. This is my first bug in Facebook Bug bounty program.


This bug could have allowed a malicious user to view targeted media on Instagram. An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID.
Details include like/comment/save count, display_url, image.uri, Facebook linked page(if any) and other.


Data of users can be read improperly. An attacker could able to regenerate valid cdn url of archived stories & posts. Also by brute-forcing Media ID’s, attacker could able to store the details about specific media and later filter which are private and archived.

Repro steps


  1. Obtain target’s post/reel/IGTV/story media id (By brute-forcing or other technique)
  2. Send a POST request to

    Where [MEDIA_ID] is the media_id of any post/reel/IGTV/story.
    doc_id is redacted.

  3. In the response, display_url, save_count & other details of a particular media disclosed.

After few days, I found another endpoint with doc_id=[REDACTED] which discloses the same information. access_token was passed through the POST request so when I tries to access media’s of different accounts I got data:null in the response.


1. Send a POST request to

Where [MEDIA_ID] is the media_id of any post/reel/IGTV/story.
doc_id is redacted.
Other parameters are not included.
access_token is valid Facebook access token.


2. Then I changed the access_token to null and I got access to the information.
Also same endpoint is disclosing Facebook Page linked to a Instagram account but Facebook page & Instagram account link is public. You can see here
Where PAGE_ID is the Facebook page ID.




Instagram has changed the above endpoints.


16 April 2021 : Report sent
19 April 2021 : Reply from Facebook Security Team – Need more info
19 April 2021 : Information Sent
22 April 2021 : Report Triaged
23 April 2021 : Found another endpoint disclosing the same info
29 April 2021 : Fixed
29 April 2021 : Vulnerability not completely patched. Sent the information to FB Security Team
…. some messages exchanged …
15 June 2021: Awarded $30000 bounty.


Leave a Reply

Your email address will not be published.

Back to top