Private posts on Instagram may be vulnerable to a very basic hack according to reports. The breach which surfaced on Wednesday showed that users’ photos and videos can be viewed by a series of mouse clicks on any web browser which exposes the persistent URL of private posts and stories cached on Facebook servers, thus making the private posts of users visible.
The hack – which works on Instagram stories as well – requires basic knowledge of HTML. It can be done in a handful of clicks, BuzzFeed News reported.
This is especially bad news for celebrities and young users who have protected their account from spam. To get access to the photos a user would simply have to use the inspect functionality in any modern-day web browser on Windows, Linux, macOS or Chrome OS. This obviously means one needs access to the public URL of the Instagram account holder with privacy settings turned on. Using the inspect element here, the public URL of photos and videos can be accessed and shared with just about anyone, Instagram user or not.
In response to the news, Facebook, which owns Instagram said that this is akin to taking a screenshot and sharing it with users. “It doesn’t give people access to a person’s private account,” a Facebook spokesperson reportedly said.
However the hack also works when images and videos are posted as a private Instagram story, which are meant to last for only 24 hours. Linking URLs to content from stories reportedly seem to be valid for a couple days; links to photos on the feed remain live for potentially even longer. The same is true for stories that have purportedly expired.
This hack could also work on private facebook content as Instagram’s content is stored on Facebook’s content delivery network.
This is the second data breach within a week at the social media behemoth. On 6 September 2018, phone numbers linked to hundreds of millions of Facebook accounts were found to have been left on an unprotected server, which could be accessed by anyone.
According to a TechCrunch report, the unsecured server contained over 419 Mn records of users across the globe. This comprised of 133 Mn US-based users, 18 Mn from the UK and 50 Mn from Vietnam, among others.
The data leak was found by Sanyam Jain, security researcher and member of the cybersecurity non-profit GDI Foundation, which has found such cases of poor security in the past.
Facebook CEO Mark Zuckerberg had made a privacy pledge earlier this year, when he introduced a “privacy-focused vision for social networking” after a 2018 that was plagued by scandals and data mishaps. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg wrote in 2018.