Summary

A blocked user can still access and view content from the blocking user’s public custom feed by manipulating a request when pinning a feed to their home interface.

Although the Threads interface correctly blocks direct access to the feed URL and shows an error message, the backend does not properly enforce the block restriction when handling the useBarcelonaCreateColumnMutation GraphQL request.

As a result, the blocked user can bypass the restriction and successfully load the blocking user’s feed content.

Description

Threads states that when a user blocks another account:

“Blocked users won’t be able to find your profile or content on Threads or Instagram.”

However, this restriction is not fully enforced on the backend.

When a blocked user directly visits the blocking user’s public custom feed URL, the UI returns an error message such as:

“Something went wrong, please try again later.”

Despite this UI restriction, the backend GraphQL mutation useBarcelonaCreateColumnMutation still allows the blocked user to pin the blocked user's public feed to their home interface by modifying the relativeURL parameter in the request.

After the request is successfully processed, the blocked user can access and view the content of the blocking user’s public custom feed directly from their home dashboard.

This demonstrates that the blocking mechanism is only enforced at the UI level and not properly validated server-side.

Environment

• Platform: Threads
• Browser: Firefox
• OS: Windows

Users

• User A: (Blocking User)
• User B: (Blocked User)

Steps to Reproduce

1. Log in as User A.
2. Create a public custom feed.
3. Log in as User B.
4. Visit User A’s profile and navigate to their public custom feed.
5. Copy the Custom Feed ID from the URL.
6. Log back in as User A and block User B.
7. Log in again as User B and attempt to access User A’s custom feed via direct URL.

The application returns an error message:
“Something went wrong, please try again later.”

8. As User B, create your own public custom feed.
9. Click “Pin to Home” while intercepting the request using a proxy tool (e.g., Burp Suite).
10. Locate the following request:

POST /api/graphql HTTP/2
Host: www.threads.com
X-Fb-Friendly-Name: useBarcelonaCreateColumnMutation

11. In the request body, find the parameter:

"relativeURL": "/custom_feed/USER_B_CUSTOM_FEED_ID"

12. Replace it with User A’s custom feed ID:

"relativeURL": "/custom_feed/USER_A_CUSTOM_FEED_ID"

13 Send the modified request.
14. The server responds with:

HTTP/2 200 OK

15. Return to the Threads interface and click the Home icon.
16. The feed column containing User A’s public custom feed content will appear and can be viewed by User B, even though they are blocked.

Impact

This issue weakens the privacy guarantees of the blocking feature.

A blocked user should not be able to access or view any content from the user who blocked them. However, due to insufficient server-side validation, blocked users can still retrieve and view content from the blocking user’s public custom feed.

Timeline

November 11, 2025: Submit report
November 11, 2025: Automatic reply
November 11, 2025: Initial evaluation

Hi Abu Idris,
A member of Meta’s security team has seen your report and performed an initial evaluation. We will get back to you once we have more information to share.
Thanks,
MetaSecurity

March 11, 2026: Not Applicable