I was sharing an old Turkish pop track on Spotify (“Füsun Önal – Ah Nerede”, 2004). Instead of the expected album art, Instagram showed a completely unrelated person’s Instagram profile screenshot, basically a silent injected ad.

I dug into how Spotify generates Instagram story assets and mapped possible attack vectors in the legacy catalog pipeline. Curious if anyone’s seen similar behavior with older metadata ingestion paths.

Despite all the AI slop I don't quite get it, was the track metadata pushing an incorrect cover image (a screenshot of someone's Insta profile) or was it linking to an Insta profile (meaning the track/artist metadata had a field for their Insta and it was hijacked)?