LOADING ...

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack'—but Still, Heads Up

Tom McKay Sep 10, 2019. 10 comments

Here’s another reminder to be wary of what you share online: BuzzFeed News noticed on Monday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it.

BuzzFeed wrote:

The hack—which works on Instagram stories as well—requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.

According to tests performed by BuzzFeed’s Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.

...

Because all of this data is being hosted by Facebook’s own content delivery network, the work-around also applies to private Facebook content.

Here’s an example of such a link to a private Instagram image, per the Verge:

https://scontent-lax3-1.cdninstagram.com/vp/0907741760b14f49ebbb7d45f1e4871e/5E092026/t51.2885-15/e35/s1080x1080/67509661_124712232143789_4496164141880255274_n.jpg?_nc_ht=scontent-lax3-1.cdninstagram.com

BuzzFeed is calling this a “hack,” but what’s really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it’s trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long.

So long, in fact, that it would be practically impossible for someone to randomly guess what a direct link is. In practice, this means that the URL-copying method can only be used if someone has access to the page where the URL appeared in the first place (or are otherwise a malevolent AI). It is possible to implement extra restrictions to prevent direct, unauthorized access to content via a CDN URL. But in YCombinator thread from 2010, users debated if it would really be worth it for Facebook to devote manpower and resources to maintain such a system, given that... screenshots exist.

That’s the defense Facebook raised in a statement to the Verge, saying, “The behavior described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people. It doesn’t give people access to a person’s private account.”

(The newsworthiness of this is also debatable, given that the direct-URL method of accessing Instagram photos is... very widely known, to say the least.)

This is not to say that Facebook and Instagram cannot or should not implement extra authentication, given they practically vomit money every time they open their mouths and can almost certainly afford it. But it is to say that if there’s a traitor in your friends list, there’s not much Facebook can do about it if they even wanted to. Which they don’t.

Now credit where credit is due: BuzzFeed did find something a good bit more troubling. The URLs in question remain accessible for a period of time after the content in question has been deleted. Deleted Instagram stories were still accessible “for a couple days,” BuzzFeed wrote, and deleted public photos remained accessible at the URL for even longer. This is more concerning; it’s a way for anyone on the web to access the content after the user who uploaded thinks it’s inaccessible.

John Paczkowski, BuzzFeed’s tech and business editor, responded to the criticism by pointing out that the point is that the content remains accessible “for *days* after a person believes them to be deleted.” Plus, Facebook isn’t exactly trustworthy in the privacy department. And many Facebook and Instagram users are also doubtlessly unaware of just how many privacy loopholes exist in these platforms and how widely their data can be shared, so it’s arguably a public service to point these wrinkles out.

In any case, this is yet another reminder that private content is only as private as the people with access choose to keep it. Choose what you upload carefully, who you choose to let see it even moreso, and never, ever assume that hitting “delete” on something has actually deleted it.

10 Comments

Other Tom McKay's posts

Pentagon Says 34 Troops Treated for Traumatic Brain Injury After Trump Downplays It as 'Headaches' Pentagon Says 34 Troops Treated for Traumatic Brain Injury After Trump Downplays It as 'Headaches'

The White House initially minimized the consequences of retaliatory Iranian missile strikes that hit joint U.S.-Iraqi bases in Iraq on January 8 in ...

Satellite to Go Boom Satellite to Go Boom

DirecTV is rushing to move one of its satellites to a higher orbit due to the likelihood it will go boom, pow, kablam, rattle-rattle-bang, Space News...

DOJ Says FBI Cracked Lev Parnas's iPhone 11 in Two Months Even as It Demands Apple Backdoor DOJ Says FBI Cracked Lev Parnas's iPhone 11 in Two Months Even as It Demands Apple Backdoor

The U.S. Department of Justice claimed in a letter to a federal judge this week that it took almost two months for the FBI to break into an iPhone 11...

Report: Saudi Crown Prince Personally Sent Malware to Jeff Bezos, Possibly to Steal Those Dick Pics Report: Saudi Crown Prince Personally Sent Malware to Jeff Bezos, Possibly to Steal Those Dick Pics

Here’s another twist in the mystery of just how pictures of Amazon CEO and billionaire Washington Post owner Jeff Bezo’s dick , along with sexts to h...

Suggested posts

$1.1 Billion Sale of .Org Registry to Private Equity Leeches Voted Down by ICANN $1.1 Billion Sale of .Org Registry to Private Equity Leeches Voted Down by ICANN

Something good has happened for once: The Internet Corp for Assigned Names and Numbers voted to block its partner organization, the Internet Society,...

NYPD Arrests QAnon Conspiracist Who Allegedly Threatened to Kill Joe Biden, Had Car Full of Knives NYPD Arrests QAnon Conspiracist Who Allegedly Threatened to Kill Joe Biden, Had Car Full of Knives

The New York City Police Department arrested a conspiracy theorist who issued death threats against former Vice President and current Democratic pres...

Hey Wait a Minute, I Think I've Seen This Movie Before Hey Wait a Minute, I Think I've Seen This Movie Before

Today in déjà vu: senior Trump administration officials have been pressing U.S. spy agencies to come up with evidence supporting unsubstantiated accu...

U.S. Conspiracy Theorist Probably Behind Leak of WHO, Gates Foundation Data: Report U.S. Conspiracy Theorist Probably Behind Leak of WHO, Gates Foundation Data: Report

Whoever was behind the release of around 25,000 purported emails and passwords from the World Health Organization, National Institutes of Health, the...

Diamond and Silk Axed From Fox News' Streaming Service for Asinine Coronavirus Conspiracy Theories Diamond and Silk Axed From Fox News' Streaming Service for Asinine Coronavirus Conspiracy Theories

Fox News has cut ties with pro-Donald Trump media personalities Diamond & Silk—who have repeatedly appeared with the president at rallies and Whi...

Report: Over 100 Militant Groups Have Been Promoting Second Civil War on Facebook Report: Over 100 Militant Groups Have Been Promoting Second Civil War on Facebook

God help us if Mark Zuckerberg’s next congressional hearing is on the subject of the Bloody Insurrection of 2020. As HuffPost first reported, a scour...

For the Love of God, Don’t Use Facebook’s Video Chat Rooms For the Love of God, Don’t Use Facebook’s Video Chat Rooms

Facebook is now rolling out a Messenger Rooms platform that will allow video calls to simultaneously host up to 50 people, up from eight in existing ...

Your Nintendo Account May Have Been Exposed, So Here's How to Enable 2FA Your Nintendo Account May Have Been Exposed, So Here's How to Enable 2FA

Following a growing number of reports of Nintendo users claiming their accounts had been hacked, Nintendo has confirmed that roughly 160,000 may have...

Facebook's FTC Settlement Is Officially a Train Wreck Facebook's FTC Settlement Is Officially a Train Wreck

Well, it’s finally over. According to a post penned late Thursday by Facebook’s Chief Privacy Officer on the company’s official blog, the social medi...

“View From My Window” Is the Last Good Group on Facebook “View From My Window” Is the Last Good Group on Facebook

Most of Facebook is a cesspool, filled with conspiracy theories, pyramid schemes, and baby photos posted by someone you think you probably went to hi...

Language