The Instagram photo sharing platform has a serious security vulnerability in how it handles private accounts, so that photos and videos posted to private accounts are not as private as they may seem.
A report from BuzzFeed shows how they can be accessed, downloaded, and publicly shared by friends and followers, so that this step requires only a rudimentary understanding of HTML and a web browser.
This is done from a series of mouse clicks on any web browser to reveal the static URL of posts and private stories cached on Facebook servers. Anyone can use a web browser, such as google chrome, to scan the source code on a webpage using the Check Items tool.
By accessing the “Img” section, you can find the URL of any Instagram image clicked, whether it is a disappearing story or an image published in the user’s feed.
This URL can then be shared and displayed by anyone, including people who are not following the respective account. According to the tests, JPEG and MP4 files can be viewed, downloaded, and shared in this way.
In addition to revealing static URLs for images posted to a private account, this method also allows the withdrawal of URLs for account images of other Instagram users who may have interacted with this post and may have their own accounts as well.
The report explains that the private account must first be tracked in order to access the user’s feeds and stories, but the flaw and ease of exploitation are unintentional failures by the Instagram privacy and security teams.
URLs continue to retrieve images from Facebook servers even after deleting posts, for images published in the feed and for stories deleted after 24 hours. The story URLs allow them to be returned for several days after the expiration date.
The report states that the same method retrieves the URLs of private Facebook posts and photos.
Source : BuzzFeed