Skip to main content

Your Private Instagram, Facebook Posts Aren't That Private

If you know the right tricks, a private Instagram account is as secure as my public account.
(Image credit: Tom's Guide | Future)

A private social media account is supposed to give you the power to protect your posts, photos and other content from strangers, colleagues, family members and other folks. Turns out that's not exactly the case over at Instagram (and at Facebook too).

A trio of BuzzFeed News employees — Ryan Broderick, Ryan Mac and Logan McDonald — exposed this privacy flaw yesterday (Sept. 9), and they even showed how easy it is to snatch a so-called-private post. 

The BuzzFeed News writers didn't share the exact steps for how to steal a private image or video asset, but their story details that you need "only a rudimentary understanding of HTML and a browser" and that the process is easily completed with a "can be done in a handful of clicks" on Instagram or Facebook.

Facebook, in a statement to The Verge, said "The behavior described here is the same as taking a screenshot of a friend’s photo on Facebook and Instagram and sharing it with other people." 

BuzzFeed News' account of the situation suggests otherwise, as the outlet notes that even Instagram Story posts — after the 24-hour window following their posting — can be pulled with method, and you don't even have to be logged into Instagram to do it. 

MORE: How to Deactivate Your Instagram Account

The BuzzFeed Tech + News Working Group tested their trick on their own, and used it to view, download and share JPEGs and MP4s "from private feeds and stories."

Following that, the article notes that you just need to use the inspect tool (right-click to find that) to see the source URL. All of this, it appears, can be done straight from someone's Instagram profile page. 

Gizmodo disputes the argument that this kind of reverse-engineering should be called a hack, saying "what’s really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it’s trivial to look in the HTML and find a direct URL to where the image or video is." 

The difference between this and what more secure sites would do is that Instagram and Facebook don't make it harder to get such direct access.

This all comes after Instagram's parent company, Facebook, experienced a very-bad-year for privacy, when its Cambridge Analytica scandal highlighted how user data.

Henry T. Casey

Henry is an editor writer at Tom’s Guide covering streaming media, laptops and Apple. Prior to joining Tom's Guide — where he's the self-described Rare Oreo Expert — he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. You can find him at your local pro wrestling events, and looking for the headphone adapter that he unplugged from his iPhone.