Private Instagram posts may not be so private after all. BuzzFeed just reported about a security flaw within the web version of Instagram in which a series of mouse clicks on any web browser allows anyone to expose the persistent URL of private posts and stories cached on Facebook servers.

The process involves using a web browser, such as Google Chrome, then inspecting the source code on a web page via the "Inspect Elements" too. By tabbing over to the "Img" section under "Network," a user can find the URL of any Instagram image they've clicked on, regardless if it's a disappearing story of photo published to a user's private feed.

That URL, then, can be shared and viewed by anyone, even people who aren't following the private account, as BuzzFeed reports.

Private Instagram Posts

To see if the exploit was indeed working, The Verge tried it and found that it does indeed work. The process involves several steps, but is fairly easy to achieve. By reloading the page of a private account and loading the "Img" section, it was able to locate the right URL and share it. Worse, previews of these private images even load when pasted on chat applications such as Slack.

Apart from revealing persistent URLs for private photos, the same trick also lets any user pull URLs for profile photos of other Instagram users who may have interacted with that post and have their accounts set to private. The user is still required to follow the said account to gain access to their feed and stories, of course. However, the flaw makes it a lot easier to access what should remain inaccessible and represents a gaping flaw within Instagram's privacy policies.

BuzzFeed says the URLs will still retrieve images from Facebook servers even if the photos are deleted. This appears to apply to both photos posted to users' feeds and stories, which disappear after a day. What's more, URLs for private stories will bring back the story days after they're supposed to be gone.

This Isn't The First Exploit Ever Discovered

The flaw in question is certainly concerning, but it's not the first. In 2015, Quarts discovered a similar loophole involving private content on Instagram. In this exploit, a photograph posted to the app when a user's account was set to public remained publicly visible on the web version even if the user's account was made private after the fact. Instagram promptly released an update after this got traction.

Make sure to check back with Tech Times as we learn more.

ⓒ 2021 All rights reserved. Do not reproduce without permission.