Private Instagram Stories, which are supposed to be automatically deleted after 24 hours, can remain live for an extra day – with some photos remaining on the service even longer…
BuzzFeed’s piece opens with a more dramatic-sounding claim.
Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
Instagram is relying here on ‘security by obscurity’ – a URL you can’t realistically guess – which security professionals would say is bad practice. It’s not alone in this: Google Photos does something similar, though its approach is rather more secure than it might seem.
In practice, however, it’s not really that different from taking a screengrab of the photo and sharing that. But one additional criticism does appear valid.
The hack works even when images and videos in a private Instagram story, which are meant to last for only 24 hours, expire or are deleted. Linking URLs to content from stories seems to be valid for a couple days; links to photos on the feed remain live for potentially even longer. The same is true for stories that have purportedly expired.
That does seem to breach user trust: if they are told that something is deleted after 24 hours, then it ought to be deleted after 24 hours – not after 48 hours or longer – even if it is no longer present in the feed.
Privacy is becoming an increasingly high-profile issue for tech companies, with mainstream media now picking up on stories which would once have been the sole preserve of tech sites, so it’s important for companies to live up to their promises even when the actual risks are low. Even Apple has been caught up in privacy-related controversies, like the recent Siri ‘grading’ issue.