Here’s another reminder to be wary of what you share online: BuzzFeed News noticed on Tuesday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it.
BuzzFeed wrote:
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
According to tests performed by BuzzFeed’s Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.
…
Because all of this data is being hosted by Facebook’s own content delivery network, the work-around also applies to private Facebook content.
Here’s an example of such a link to a private Instagram image, per the Verge:
BuzzFeed is calling this a “hack,” but what’s really happening is Internet 101. When an authorised user loads a piece of content on Instagram in a browser, it’s trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorised users from accessing the image or video in question is to make its URL very, very long.
So long, in fact, that it would be practically impossible for someone to randomly guess what a direct link is. In practice, this means that the URL-copying method can only be used if someone has access to the page where the URL appeared in the first place (or are otherwise a malevolent AI).
It is possible to implement extra restrictions to prevent direct, unauthorised access to content via a CDN URL. But in YCombinator thread from 2010, users debated if it would really be worth it for Facebook to devote manpower and resources to maintain such a system, given that… screenshots exist.
Most apps work like this, including Google Photos. The content CDN URLs are so long you would never be able to guess them, so sharing the link is effectively the same as saving the photo and sharing it. https://t.co/elt7ROA6Uk
— Benjamin Mayo (@bzamayo) September 9, 2019
Due to a lot of dumb technical reasons, most private content have theoretically public links. The protection is that the URLs have enough random complexity that you’d never be able to guess them, or otherwise guess it. More secure than guessing the account password.
— Benjamin Mayo (@bzamayo) September 9, 2019
You can try. The sun will have exploded before you find one.
— Benjamin Mayo (@bzamayo) September 9, 2019
That’s the defence Facebook raised in a statement to the Verge, saying, “The behaviour described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people. It doesn’t give people access to a person’s private account.”
(The newsworthiness of this is also debatable, given that the direct-URL method of accessing Instagram photos is… very widely known, to say the least.)
It’s actually quite interesting that this behavior of the web isn’t widely understood, such that Buzzfeed can legitimately present it as surprising and “OMG.” pic.twitter.com/Ca3ZySAUpk
— Ian Bogost (@ibogost) September 9, 2019
This is not to say that Facebook and Instagram cannot or should not implement extra authentication, given they practically vomit money every time they open their mouths and can almost certainly afford it. But it is to say that if there’s a traitor in your friends list, there’s not much Facebook can do about it if they even wanted to. Which they don’t.
Now credit where credit is due: BuzzFeed did find something a good bit more troubling. The URLs in question remain accessible for a period of time after the content in question has been deleted. Deleted Instagram stories were still accessible “for a couple days,” BuzzFeed wrote, and deleted public photos remained accessible at the URL for even longer. This is more concerning; it’s a way for anyone on the web to access the content after the user who uploaded thinks it’s inaccessible.
John Paczkowski, BuzzFeed’s tech and business editor, responded to the criticism by pointing out that the point is that the content remains accessible “for *days* after a person believes them to be deleted.” Plus, Facebook isn’t exactly trustworthy in the privacy department. And many Facebook and Instagram users are also doubtlessly unaware of just how many privacy loopholes exist in these platforms and how widely their data can be shared, so it’s arguably a public service to point these wrinkles out.
In any case, this is yet another reminder that private content is only as private as the people with access choose to keep it. Choose what you upload carefully, who you choose to let see it even moreso, and never, ever assume that hitting “delete” on something has actually deleted it.