Skip to content
Naked Security Naked Security

Instagram bug could have allowed others to read your direct messages

Before you get too worried about this Instagram security bug: it's just been fixed. So let's just call this a cautionary tale.

We live in a world where app developers are rolling out new features non-stop, constantly. (“Software is eating the world” and all that.)

Notwithstanding all the fancy new devops and agile processes out there, when you’re in a huge hurry, sometimes security flaws squeeze through unnoticed.

That’s what happened to Instagram last week.

Its Android developers proudly rolled out a brand-new feature that made it easy to set up a shared account to complement your private account. You’d be able to switch between up to five accounts without logging out and re-logging into another one. Cool, right?

But, according to the Android experts at Android Central, many users who tried this got an unpleasant surprise: if you shared one account with other users, they started seeing notifications about private direct messages to the account you didn’t share.

Unauthorized users couldn’t actually reply to these messages; trying to do so would simply display their own accounts. But they could see what-you-probably-thought-was-private information – not least, who you were swapping messages with, their profile photo, and some of the message (but not the photo itself).

Android Central said the bug seemed sporadic, so maybe that’s why it escaped testing. There are no reports of similar flaws on Apple iOS or Windows Phone.

Instagram told Android Central that the issue has now been fixed.

If there’s an update available for your Android Instagram app, now’s a good time to go get it. While it’s installing, maybe give a moment’s thought to the challenge of writing secure apps for platforms as huge and diverse as Android.

When an app’s security features really matter to you, it’s no crime to step back from the bleeding edge and be a “second adopter.”

A while back, Instagram’s parent company Facebook abandoned its notorious motto, Move Fast and Break Things. But things do still break.

And with that final observation, we must share the world’s best comic on this very topic.

Image of Instagram user courtesy of Denys Prykhodov /


I’ve posted this before:

“This minor change I’m about to make
allows me only one mistake.
But why do people never see
that bugs occur in groups of three.”

*evil grin!* Oh, and empathy for the folks with the bug spray!


That’s nice, but there’s also other bugs in their software like the one that has made websites which allow people to view private instagram profiles possible.


I have post notification on for an account I follow. Apparently, I’m also seeing photos she is posting on a private account, or is sending through dm to someone. There is no shared account. We only have one account that we both follow. Can’t help but wonder if I’m seeing photos shared privately with this person.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!