Instagram has fixed a privacy flaw that allowed anyone with the URL to see photos and videos posted on the service, even if the user’s account was set to private. At least, it has kind of fixed it.
The popular photo-sharing app, which was purchased by Facebook in 2012 for about $1 billion, has roughly 300 million active users, not all of whom choose to share their photos and videos with the general public.
Instagram allows users to set their accounts to private, which is supposed to mean that only a user’s Instagram followers (who are approved as such by the user) can view their posts.
However, prior to Instagram’s latest fix, if you shared a post when your account was set to public (the default setting) and then later decided to change your account to private, all the posts you made when your account was public would still be viewable with a URL to the post on Instagram.com.
The loophole was discovered by the online publication Quartz, which inquired about the bug before publishing a story on 12 January.
In a statement to Quartz, Instagram said it had fixed the problem as of 9 January:
In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram.
At Naked Security, we were a bit confused by Instagram’s statement, “web links that are not shared on other services are only viewable to their followers on Instagram.”
So we checked it out ourselves using our own personal Instagram accounts (two of us have Instagram accounts that are set to private).
Here’s what we figured out: when we uploaded a photo simultaneously to Instagram and to Facebook, one of us – who is not a follower of the other on Instagram – browsed to the Instagram URL and was able to see the photo.
We repeated the experiment on Twitter by uploading a photo on Instagram and Twitter simultaneously, and the result was the same – the URL generated by Instagram allowed someone who is not an Instagram follower to see the image.
We did the same experiment when not sharing simultaneously to Facebook or Twitter, and grabbed the image URL from Instagram.com – this time, we couldn’t see the image but instead got an Instagram.com page that said “Page Not Found.”
This might not seem like a big deal – but it’s conceivable that someone who wants to share a photo only to their Instagram followers and Facebook friends might be shocked to discover that their photo can be seen by anyone at the image URL generated by Instagram.
It’s worth repeating for clarity: even after Instagram’s privacy fix, your “private” posts are still viewable if you share them simultaneously on other services such as Facebook, Twitter, etc. – someone could copy that link and share it and it would be viewable by people who aren’t one of your followers.
Check your privacy settings
Privacy settings can be convoluted and confusing, even when they work as they’re supposed to.
You don’t have to be a victim of accidental oversharing.
Here’s some great tips from our experts to help you ensure your online accounts are as secure as you can make them.
- 5 tips to make your Facebook account safer
- How to improve your Twitter security and privacy
- 3 ways to make your Gmail account safer
- 3 tips for keeping your photos and other data safe when using iCloud
You can also follow all the latest privacy and security news on the Naked Security Facebook page.
Image of iPhone 6 in jeans pocket displaying Instagram application courtesy of Chukcha / Shutterstock.com.
