Facebook has been doing its best to convince us that it’s concerned about user privacy and security, but it’s not doing a great job. Just a few days ago, we saw the latest proof that Facebook isn’t ready to protect all of your data. And if you wanted more proof that you should be careful about what kind of data you store on Facebook’s servers, even if temporarily, you need to read a new report. It turns out that private Instagram posts and videos can be accessed with relative ease by people who aren’t even following you.
The supposedly protected content posted to private accounts on Instagram and Facebook can be accessed, downloaded, and shared with third parties “with a stupidly simple work-around,” BuzzFeed discovered.
The hack, which isn’t really a hack, “requires only a rudimentary understanding of HTML and a browser,” and works on Instagram stories as well:
It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
Files including JPEGs and MP4s from private feeds and stories can be accessed with this method, and Facebook doesn’t seem to think it’s such a big deal. The critical detail to know here is that only those people who are friends or followers of the source can access the content, so not everyone can see your private content.
“The behavior described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people,” a Facebook spokesperson told BuzzFeed News. “It doesn’t give people access to a person’s private account.”
Facebook is right, in a way. But that doesn’t make this any better. The “hack” even works with ephemeral content like a private Instagram story that should expire after 24 hours or when it’s deleted. Links to that type content stay on Facebook’s servers for days, the report says, which is definitely not just like sharing a screenshot.
Also, this data contains some basic information about the photo or video, including details about how it was uploaded and photo dimensions. That’s the kind of information that you can’t get from screenshots, no matter how trivial it might be. Furthermore, the links prove that the content is authentic, whereas screenshots can always be faked.
Finally, private accounts and content are supposed to be private. That’s what users assume happens with their content, even if they’re aware some of their friends and followers might share the odd screenshots here and there. But having friends and followers access content directly from Facebook’s servers is probably something that shouldn’t happen on private accounts, no matter how the spokespeople try to spin it.