Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded and distributed publicly by friends and followers via a stupidly simple workaround.
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged into Instagram or do not follow that private user.
According to tests performed by BuzzFeed’s Tech + News Working Group, JPGs and MP4s from private feeds and stories can be viewed, downloaded and shared publicly this way.
Instagram and Facebook had not yet provided comment at the time of publication.
The hack works even when images and videos in a private Instagram story expire or are deleted. Linking URLs to content from stories seem to be valid for a couple days, with links to photos on the feed potentially remaining live for even longer. The same is true for stories that have purportedly expired.
Because all of this data is being hosted by Facebook’s own content delivery network, the workaround also applies to private Facebook content. If a friend or follower grabs the link, they can use it to share that content with non-friends/non-followers. It’s worth noting that while Instagram tracks who sees your content on-app, it does not track who is looking at your content via public URLs. In other words, were someone to publicly share one of your private images or videos without your permission, you would have no idea who had done so or how many people had seen it.
This process differs from just taking a screenshot of a private account you’re following for a few reasons. These public URLs contain some basic info about the photo or video they link to — update time, photo dimensions and what not. They also prove authenticity; You can’t fake one. Beyond this is the issue of deleted photos and videos being stored on Facebook’s content delivery network after a person believes them to be deleted.
That photos and videos explicitly designated as private are so easily accessible and publicly shareable is particularly egregious given Facebook’s ongoing privacy missteps. Recall Facebook CEO Mark Zuckerberg’s privacy pledge from earlier this year.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg wrote.
Quartz discovered a similar loophole for private Instagram content in 2015. Tests conducted by Quartz showed that a photograph posted to Instagram when a user’s account is set to public remained publicly viewable on the web, even if the user’s account was later made private.
“In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram,” a spokesperson told Quartz at the time.