It seems that it is becoming easier to bypass privacy measures on social media platforms. According to a report by data protection experts taken up by the BuzzFeed News website, there is a workaround that allows sharing private content posted on Instagram with unauthorized users.
Abusing this security loophole requires minimal understanding of HTML code and the use of any web browser. All the attacker should do is search for the images and videos that are uploaded to the page and then extract the source URL. This URL is public, so that any user can access the content without even logging into Instagram. This process only involves a few clicks; in addition it is possible to access photos, videos and stories published on the social network.
“We test various browsers and can now confirm that it is possible to download JPEG and MP4 files from any Instagram profile, regardless of whether it is private, and share it with any user”, mentioned the data protection experts.
In addition, it should be noted that, since these files are hosted on Facebook’s content delivery network, this little workaround is also functional to download and share private content posted on Facebook.
Although BuzzFeed refers to this technique as a “hacking”, it is actually a feature of the Internet. If a user accesses Instagram through a web browser, it’s easy to search the HTML and find the URL that redirects to the image or video location. The most common method to prevent this from happening is to craft very long URLs.
The URL should be so long that it is impossible for any user to guess what a direct link is, so the trick can only be used when someone has access to the page where the URL originally appears. In addition, there are other methods to protect the URL of the content delivery network.
However, data protection experts consider it highly unlikely that the social media giant will spend time and money to prevent the exploitation of this flaw, as the use of screenshots and smartphone screen record tools avoid the need to use this trick. “This error is, in practice, equivalent to taking a screenshot of the content on the Facebook or Instagram profile of any of our friends to share it with any other user; actually, this process does not give anyone access to a person’s private content,” mentions a Facebook statement regarding this issue.
While social media companies must implement all possible measures to protect the privacy of their users, data protection experts from the International Institute of Cyber Security (IICS) believe that there are other variables that escape completely out of their control. No matter if the social network prevents access to private content via URL, any of your friends on Facebook or Instagram followers could still take a screenshot of the content and share it with anyone.