Instagram bug allowed anyone to view “private” photos

vanity_instagram_crop

Instagram has fixed a vulnerability which allowed anyone with access to an image’s URL to view the photo, even those shared by users whose accounts are set to “private.” A Quartz reporter discovered the problem while using Instagram’s API as a reporting tool.

The problem is thought only to have applied to Instagram users who shared an image to their private accounts while simultaneously posting it to services like Facebook or Twitter. This created an image URL which could then be followed by anyone back to Instagram.

That part had been previously disclosed. But before this update, Quartz discovered that images shared while an account was public could still be viewed this way even after the account was taken private, effectively limiting the privacy afforded by making the switch.

The episode highlights the difficulty of honoring a consumer’s privacy settings. Instagram was unaware of the problem, and it required a specific sequence of events to be exploited, but countless “private” images could’ve been leaked to the public by exploiting this bug.

Companies that offer granular controls (like Facebook) are criticized for overwhelming consumers, while companies providing simpler tools (like Instagram) offer seemingly simple tools which are actually much more convoluted than they appear. As this vulnerability illustrations, neither option is perfect.

Source : Instagram bug allowed anyone to view “private” photos, NATHANIEL MOTT, JANUARY 12, 2015 ( http://pando.com/2015/01/12/instagram-bug-allowed-anyone-to-view-private-photos/ )

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s