A major flaw has been identified in Instagram with regards to the way it handles posts and stories. Instagram has a feature to go private which allows only the followers of that private account access the posts. But recently, a report discovered that someone who has a basic knowledge of HTML can go around this feature using a web browser.
The report reveals how any random person can use Google Chrome to inspect the images and videos that are loaded on a page and copy the source URL. Further, this URL can be shared along with all the images of that private user with anyone who doesn’t follow that private account or even exist on Instagram.
These URLs can also be used to pull out other URLs for profile photos of Instagram users who may have interacted with a particular post and has private accounts; the only catch is that one must follow a private account in the first place to access the user’s posts. But anyone who follows that private account can pull out the URLs and make it public without the consent of the account holder and this is a serious privacy and security violation.
And it gets worse as these URLs can retrieve images from Facebook servers long after the post has been deleted. This is applicable to both photos and stories.
The issue of deleted photos being stored on Facebook’s content delivery system is grave as a user believes it to be deleted when it’s really not, any third-party can access it without their knowledge.