Private Instagram messages and stories can be shared publicly using just a web browser

Instagram has a security flaw in the way messages on accounts are treated that are set to private, BuzzFeed reported today. The report illustrates how a series of mouse clicks on any web browser can expose the persistent URL of private messages and cached stories on Facebook servers.

Anyone can use a web browser, such as Google Chrome, to inspect the source code on a web page using the & # 39; Inspect Elements & # 39; tool. Continue to the & # 39; Img & # 39; away from the network header, you can find the URL of every Instagram image you've clicked on, whether it's a disappearing story or a photo posted in a user's feed. That URL can then be shared and the photo can be viewed by anyone, including people who do not follow the relevant private account.

The edge was able to independently verify that this process actually works. The process is somewhat picky, but usually by reloading the page of a private account (in this case my own account) and the & # 39; Img & # 39; section. I could load the correct URL and confirm that it can be shared openly. Previews of the image are even loaded in chat applications such as Slack. We also confirmed that another user could find the same URL & # 39; s to exclude that Instagram only made this type of data available to a user who was looking at his own private account.

In addition to revealing persistent URLs for photos posted to a private account, you can also use the same source code trick to retrieve URLs for profile photos of other Instagram users who might have interacted with that message and whose accounts may also be set to private. Of course you have to follow the private account in the first place to access the user's feed and stories, but the lack and ease of exploitation is a supervision of the privacy and security teams of Instagram.


According to BuzzFeed, these URLs still retrieve images from Facebook servers even after the messages are deleted. This seems to apply to both photos posted in the feed and to stories that are deleted after 24 hours. BuzzFeed says that private story URLs & # 39; s return the story several days after the due date. The report also states that the same method works for retrieving URL & # 39; s from private Facebook messages and photos & # 39; s, although The edge has not yet been able to verify that independently.

Instagram did not respond immediately to a request for comment.