When someone is given privacy, that person expects a place where he/she can do something in private. That is not the case on Instagram.
Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as what people might have thought, because as a matter of fact, they can be accessed, downloaded, and distributed publicly by friends, followers and non-followers through a simple workaround.
What's required here, is only a basic understanding of HTML, a browser, and a few clicks.
That according to a report by The Tech + News Working Group, which is a BuzzFeed News collaboration between reporters and those from the technology departments, as well as data scientists and product managers.
The method involves inspecting the images and videos that being loaded on the page, and simply locate the URL and retrieve the source.
According to the report, private feed has URLs that are somehow public, meaning that they can be accessed and viewed by anyone who is not even logged in to Instagram or doesn't follow that private user.
In other words, JPEGs and MP4s from users' private feeds and Stories can be viewed, downloaded, and even shared.
This simple hack even works on Stories that have expired or have been deleted.
These public URLs can expose their contents for at least a couple of days, with links to photos on feeds can remain live for potentially even longer.
What make things worse is that on Instagram, while the social media tracks who sees users contents on the app, it doesn't track who is looking at users' contents via public URLs.
Here, if someone were to publicly share one of others' private images or videos without their permission, they can do just that without the person know who did it, or how many people had seen it.
And because this privacy misconfiguration is from Facebook’s own content delivery network, the hack also works on private Facebook content. So if a friend or follower grabs the link, they can use it to share that content with nonfriends and nonfollowers.
Responding to BuzzFeed News' report, Facebook's spokesperson said that:
As a matter of fact, this is actually different that someone taking a screenshot of a private account.
First of all, public URLs contain some basic information about the photo or video they link to, including details about how it was uploaded, photo dimensions, and others. They also prove authenticity that can’t simply be faked, because they are hosted on Facebook's CDN, and not on some third-parties.
The second issue goes beyond that, as it highlights how Facebook's CDN manages to keep storing photos and videos, although users have deleted them and believed them to have been removed.
This privacy mishap is particularly egregious given Facebook's ongoing privacy problems.
Founder and CEO Mark Zuckerberg has pledged to privacy issues when he introduced a "privacy-focused vision for social networking". What he said at the time: “We have a responsibility to protect your data, and if we can't then we don't deserve to serve you."
And here, Facebook is again showing how vulnerable its platforms really are, despite its claimed continuous attempts to prove otherwise.