LOADING ...

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack'—but Still, Heads Up

Tom McKay Sep 10, 2019. 10 comments

Here’s another reminder to be wary of what you share online: BuzzFeed News noticed on Monday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it.

BuzzFeed wrote:

The hack—which works on Instagram stories as well—requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.

According to tests performed by BuzzFeed’s Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.

...

Because all of this data is being hosted by Facebook’s own content delivery network, the work-around also applies to private Facebook content.

Here’s an example of such a link to a private Instagram image, per the Verge:

https://scontent-lax3-1.cdninstagram.com/vp/0907741760b14f49ebbb7d45f1e4871e/5E092026/t51.2885-15/e35/s1080x1080/67509661_124712232143789_4496164141880255274_n.jpg?_nc_ht=scontent-lax3-1.cdninstagram.com

BuzzFeed is calling this a “hack,” but what’s really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it’s trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long.

So long, in fact, that it would be practically impossible for someone to randomly guess what a direct link is. In practice, this means that the URL-copying method can only be used if someone has access to the page where the URL appeared in the first place (or are otherwise a malevolent AI). It is possible to implement extra restrictions to prevent direct, unauthorized access to content via a CDN URL. But in YCombinator thread from 2010, users debated if it would really be worth it for Facebook to devote manpower and resources to maintain such a system, given that... screenshots exist.

That’s the defense Facebook raised in a statement to the Verge, saying, “The behavior described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people. It doesn’t give people access to a person’s private account.”

(The newsworthiness of this is also debatable, given that the direct-URL method of accessing Instagram photos is... very widely known, to say the least.)

This is not to say that Facebook and Instagram cannot or should not implement extra authentication, given they practically vomit money every time they open their mouths and can almost certainly afford it. But it is to say that if there’s a traitor in your friends list, there’s not much Facebook can do about it if they even wanted to. Which they don’t.

Now credit where credit is due: BuzzFeed did find something a good bit more troubling. The URLs in question remain accessible for a period of time after the content in question has been deleted. Deleted Instagram stories were still accessible “for a couple days,” BuzzFeed wrote, and deleted public photos remained accessible at the URL for even longer. This is more concerning; it’s a way for anyone on the web to access the content after the user who uploaded thinks it’s inaccessible.

John Paczkowski, BuzzFeed’s tech and business editor, responded to the criticism by pointing out that the point is that the content remains accessible “for *days* after a person believes them to be deleted.” Plus, Facebook isn’t exactly trustworthy in the privacy department. And many Facebook and Instagram users are also doubtlessly unaware of just how many privacy loopholes exist in these platforms and how widely their data can be shared, so it’s arguably a public service to point these wrinkles out.

In any case, this is yet another reminder that private content is only as private as the people with access choose to keep it. Choose what you upload carefully, who you choose to let see it even moreso, and never, ever assume that hitting “delete” on something has actually deleted it.

10 Comments

Other Tom McKay's posts

Elon Musk: ‘I’m a Fucking Idiot’ Elon Musk: ‘I’m a Fucking Idiot’

Elon Musk admitted he is a “fucking idiot” for smearing a British cave diver that helped save a dozen kids as a “child rapist” in an email to a BuzzFeed reporter, court documents in the ensuing defamation trial show.A refresher: Last year, 12 kids and their soccer team coach were trapped in a cave in Thailand but emerged alive...

Report: Major Political Website's Owners Secretly Running Far-Right Facebook Page Report: Major Political Website's Owners Secretly Running Far-Right Facebook Page

Prominent political website RealClearPolitics’ parent company has secretly been running a far-right Facebook page trafficking in memes about assassinating Muslims at prayer, racial stereotypes, and conspiracy theories, according to the Daily Beast.The site is run by RealClear Media, which owns the news-link and polling aggregator. While RealClearPolitics has taken “major pains to be seen as nonpartisan and non-ideological in...

Chernobyl's Infamous Reactor 4 Control Room Is Now Open to Tourists Chernobyl's Infamous Reactor 4 Control Room Is Now Open to Tourists

The “highly radioactive” control room at Chernobyl Nuclear Power Plant’s Reactor 4 at the center of the facility’s infamous 1986 catastrophe is open for tourists, so long as they wear a protective suit, helmet, and gloves while inside, CNN reported.Chernobyl tour agencies confirmed to the network that the control room is now open for guided walkthroughs following Ukrainian President...

Report: University of Iowa Faculty Told Not to Promote Greta Thunberg Visit on School Social Media Report: University of Iowa Faculty Told Not to Promote Greta Thunberg Visit on School Social Media

University of Iowa officials have told faculty at the school that they should not promote 16-year-old Swedish environmental activist Greta Thunberg’s surprise appearance at a Friday climate strike in Iowa City on its social media channels, according to a report in the Gazette.UI civil and environmental engineering professor Michelle Scherer, who is also the associate director of a National...

Suggested posts

Instagram Goes Dark Instagram Goes Dark

Finally, Instagram is going dark.Compatibility with system-wide dark modes in iOS 13 and Android 10 is rolling out this week, Instagram head Adam Mosseri announced late Monday. The sleek, true black theme will automatically appear for users who have updated the app and have dark mode enabled on their devices. As of now, and as multiple outlets noted, it...

Elon Musk: ‘I’m a Fucking Idiot’ Elon Musk: ‘I’m a Fucking Idiot’

Elon Musk admitted he is a “fucking idiot” for smearing a British cave diver that helped save a dozen kids as a “child rapist” in an email to a BuzzFeed reporter, court documents in the ensuing defamation trial show.A refresher: Last year, 12 kids and their soccer team coach were trapped in a cave in Thailand but emerged alive...

Report: Major Political Website's Owners Secretly Running Far-Right Facebook Page Report: Major Political Website's Owners Secretly Running Far-Right Facebook Page

Prominent political website RealClearPolitics’ parent company has secretly been running a far-right Facebook page trafficking in memes about assassinating Muslims at prayer, racial stereotypes, and conspiracy theories, according to the Daily Beast.The site is run by RealClear Media, which owns the news-link and polling aggregator. While RealClearPolitics has taken “major pains to be seen as nonpartisan and non-ideological in...

Chernobyl's Infamous Reactor 4 Control Room Is Now Open to Tourists Chernobyl's Infamous Reactor 4 Control Room Is Now Open to Tourists

The “highly radioactive” control room at Chernobyl Nuclear Power Plant’s Reactor 4 at the center of the facility’s infamous 1986 catastrophe is open for tourists, so long as they wear a protective suit, helmet, and gloves while inside, CNN reported.Chernobyl tour agencies confirmed to the network that the control room is now open for guided walkthroughs following Ukrainian President...

Este chico hizo una pegatina de “mejores amigos” para trolear a sus seguidores en Instagram Este chico hizo una pegatina de “mejores amigos” para trolear a sus seguidores en Instagram

Instagram lanzó la función de mejores amigos a finales de 2018 con un objetivo: conseguir que sus usuarios compartieran más momentos con sus amigos más cercanos. La función permite que los usuarios compartir sus stories de Instagram con una lista de personas. No obstante, como con todo, la función ha tenido consecuencias inesperadas. Por alguna extraña razón, Facebook quiere...

PayPal Drops Support for Facebook's Libra Cryptocurrency Scheme PayPal Drops Support for Facebook's Libra Cryptocurrency Scheme

A few days after the Wall Street Journal reported that a few corporate supporters of Facebook’s cryptocurrency were considering bowing out of its so-called “crypto mafia”, PayPal became the first to do so Friday, announcing that it will no longer participate in the Libra Association.“PayPal has made the decision to forgo further participation in the Libra Association at this...

PayPal abandona Libra, la criptomoneda creada por Facebook, antes de su lanzamiento PayPal abandona Libra, la criptomoneda creada por Facebook, antes de su lanzamiento

PayPal ha decidido abandonar la Asociación Libra cuatro meses después de su creación y antes de que la criptomoneda impulsada por Facebook vea la luz.La compañía no ha dado razones específicas, pero explica que “continuará enfocándose en sus prioridades comerciales mientras se esfuerza por democratizar el acceso a los servicios financieros para poblaciones marginadas”, que era la misión fundacional...

What We 'Know' About Facebook What We 'Know' About Facebook

On Friday, Gizmodo uncovered shocking new evidence that Facebook is using its platform to suppress stories about CEO Mark Zuckerberg... or maybe his janky, busted-ass website is just bugging out again for no reason. It’s hard to say, really. That’s sort of the problem.The issue we had with Facebook serves as a miniature lesson about transparency and our mistrust...

Probablemente seas demasiado viejo para Threads, la nueva aplicación de Instagram Probablemente seas demasiado viejo para Threads, la nueva aplicación de Instagram

Oh, mira, otra aplicación de Facebook que nadie necesitaba.El gigante de las redes sociales anunció este jueves que lanzará una nueva aplicación de Instagram llamada Threads. Esta aplicación independiente extraerá a los amigos cercanos del Instagram de un usuario. Según una publicación del blog de Facebook, Threads permitirá a los usuarios compartir fotos y vídeos con esos amigos.“En los...

Hong Kong Announces Ban on Masks and Face Paint That Helps Protesters Evade Facial Recognition Hong Kong Announces Ban on Masks and Face Paint That Helps Protesters Evade Facial Recognition

The Hong Kong government has banned masks and face paint in its latest attempt to stop the pro-democracy protests that have been raging since June. The new “emergency” order was announced by Hong Kong leader Carrie Lam at a press conference today and will go into effect at midnight local time, 12:00 pm ET.The new law bans “any facial...

Language