Some 300 million people have accounts on Facebook-owned photo-sharing service Instagram, and while many of those users are fine with letting the world see every image they post, some Instagrammers prefer to keep their pics private. However, until this weekend there was a loophole that could give people unauthorized access to private images on Instagram.
According to an investigation by QZ.com, if Instagram users posted images when their accounts were public, those photos remained available to everyone even after users changed their accounts to be private.
While visitors to a private Instagram account couldn’t directly see those photos, if an authorized friend shared a link to previously public images, that link could be used to see now-private photos.
So if you had an account for two years and decided to take it private after the first year, all the images are ostensibly now only visible to friends that you’ve given approval to.
But if one of those friends sent someone else a link for an image from that first year when your pictures were public, that supposedly private pic could be accessed.
Making matters more complicated, reports Quartz, were users who went from public to private and back multiple times. Once you go back from private to public, everything becomes viewable. But if you later chose to go back to being private, only the newest images posted after the latest switch to private would be truly hidden from the public.
Instagram acknowledged the issue to Quartz last week, saying it was “not an area where we have received feedback or concerns from the community but will continue to revisit.”
The next day, Instagram rolled out an update taking away the shared link loophole.
However, if an Instagram user ever simultaneously published their images on Twitter or Facebook, those external links will still work regardless of the user’s privacy settings.
This is true even if your Twitter and Facebook pages are set to private, so anyone with access to your feed could share the link with the public. In order to remove access to those pics, you’d need to go back into your Tweets and Facebook updates to remove those links.
As Quartz points out, much of this is not disclosed, or poorly disclosed, in Instagram’s support documents.
“As of publication, none of Instagram’s support pages on the topic of privacy had been updated since Dec. 22, 2014,” writes Quartz’s David Yanofsky, who notes that Instagram’s owners at Facebook allow users more control over their posts. “Facebook users can specify the visibility of nearly every bit of information they put on the site on a user-by-user level. A Facebook user can make a post hidden to some users or groups of users but visible to others.”
Moreover, Facebook users can retroactively change the privacy on any of their posted content, meaning you can go back and make all your embarrassing college-era posts viewable only to certain people or no one at all.
by Chris Morran via Consumerist