Private Instagram Stories, which are supposed to be automatically deleted after 24 hours, can remain live for an extra day – with some photos remaining on the service even longer…
BuzzFeed’s piece opens with a more dramatic-sounding claim.
Instagram is relying here on ‘security by obscurity’ – a URL you can’t realistically guess – which security professionals would say is bad practice. It’s not alone in this: Google Photos does something similar, though its approach is rather more secure than it might seem.
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
In practice, however, it’s not really that different from taking a screengrab of the photo and sharing that. But one additional criticism does appear valid.
That does seem to breach user trust: if they are told that something is deleted after 24 hours, then it ought to be deleted after 24 hours – not after 48 hours or longer – even if it is no longer present in the feed.
Privacy is becoming an increasingly high-profile issue for tech companies, with mainstream media now picking up on stories which would once have been the sole preserve of tech sites, so it’s important for companies to live up to their promises even when the actual risks are low. Even Apple has been caught up in privacy-related controversies, like the recent Siri ‘grading’ issue.
Photo: Shutterstock