Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
According to tests performed by BuzzFeed's Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.
“The behavior described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people," a Facebook spokesperson told BuzzFeed News. "It doesn’t give people access to a person’s private account."
But it's not exactly the same. There is a difference between being able to screenshot a private image from a webpage and being able to easily publicly share the URL of that private image with un-authenticated users.
The hack works even when images and videos in a private Instagram story, which are meant to last for only 24 hours, expire or are deleted. Linking URLs to content from stories seems to be valid for a couple days; links to photos on the feed remain live for potentially even longer. The same is true for stories that have purportedly expired.
Because all of this data is being hosted by Facebook’s own content delivery network, the work-around also applies to private Facebook content. If a friend or follower grabs the link, they can use it to share that content with nonfriends and nonfollowers. It’s worth noting that while Instagram tracks who sees your content on the app, it does not track who is looking at your content via public URLs. In other words, if someone were to publicly share one of your private images or videos without your permission, you would have no idea who had done so or how many people had seen it.
This process differs from just taking a screenshot of a private account you’re following for a few reasons. These public URLs contain some basic info about the photo or video they link to, including details about how it was uploaded and photo dimensions. They also prove authenticity; you can’t fake one. Beyond this, deleted photos and videos are being stored and accessed on Facebook's content delivery network after a person took an action to remove them from their profile.
That photos and videos explicitly designated as private are so easily accessible and publicly shareable is particularly egregious given Facebook's ongoing privacy missteps. Recall Facebook CEO Mark Zuckerberg's privacy pledge from earlier this year, when he introduced a "privacy-focused vision for social networking" after a 2018 that was plagued by scandals and data mishaps.
“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg wrote in 2018.
Quartz discovered a similar loophole for private Instagram content in 2015. Tests conducted by Quartz showed that a photograph posted to Instagram when a user’s account was set to public remained publicly viewable on the web, even if the user’s account was later made private.
“In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram,” a spokesperson told Quartz at the time.