You are here

No, Facebook and Instagram aren't sharing your private images

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

BuzzFeed is under fire this week, for spreading a non-story about privacy on Facebook and Instagram. Don’t you think Zuck’s properties have enough real privacy issues without inventing fake ones?

The naïve “revelation”? If you share something with someone, that person could make a copy. I know: Mind. Blown. /s

Welcome to the eternal September of Internet clickbait. In this week’s Security Blogwatch, we party like it’s September 9508, 1993.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Voodoo.

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

BuzzFeed FAIL

What’s the craic? Ryan Broderick, Ryan Mac, and Logan McDonald breathlessly “report”—A shockingly simple work-around allows your followers to share private photos and videos:

Photos and videos posted to private accounts on Instagram and Facebook … can be accessed, downloaded, and distributed publicly … via a stupidly simple work-around. … A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL [which] can then be shared with people.

The hack works even when images and videos in a private Instagram story … expire or are deleted. … Because all of this data is being hosted by Facebook’s own content delivery network, the work-around also applies to private Facebook content.

If someone were to publicly share one of your private images or videos without your permission, you would have no idea who had done so or how many people had seen it. [This is] particularly egregious given Facebook's ongoing privacy missteps.

ZOMG! That’s terrible. Wait, what? Tom McKay says it Isn't a 'Hack'—but Still, Heads Up:

BuzzFeed is calling this a “hack,” but what’s really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it’s trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server.

This is not exactly uncommon. … The simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long. … So long, in fact, that it would be practically impossible for someone to … guess.

[Also] screenshots exist. … If there’s a traitor in your friends list, there’s not much Facebook can do about it.

In any case, this is yet another reminder that private content is only as private as the people with access choose to keep it. Choose what you upload carefully, who you choose to let see it even moreso, and never, ever assume that hitting “delete” on something has actually deleted it.

LOL. argStyopa grooms a user story:

"Oh, I only wanted that picture of my **** to go to those 134 friends, not that other group of 14 people. NOW I AM TEH MORTIFIED!"

And Oldarney says this is true with most private sharing platforms:

Unguessable URLs are not a security issue. You could screen shot the post and upload it to an image hosting service: Same result.

Yep, entropy FTW. randompants feeds the trolls:

Just wait until BuzzFeed finds out about fusking!

But what can we learn from this? Ian Bogost—@ibogost—flips it around:

It’s actually quite interesting that this behavior of the web isn’t widely understood, such that BuzzFeed can legitimately present it as surprising and “OMG.”

Yet some people still believe Something Must Be Done. Erica Windisch—@ewindisch—thinks of the children:

All the major CDNs support [authentication] at the edge now.

So what? Screenshots exist. And if you can capture the URL or walk the cache, you. can. copy. the. file. SirAstral explains:

I heard about a nifty trick that defeats this loophole.

Someone told me—now listen real closely—that if you don't give social media all of your private information and pictures its a lot harder for them to … leak it to someone else.

Meanwhile, Octavio Lagos sums up:

I always knew BuzzFeed was ****, but making an entire entry with the oldest trick in the book and even call it a "hack"? I'm blacklisting this site from now on.

The moral of the story?

Similar bogus “revelations” pop up every so often, but entropy always wins. However, whether you’re in dev or IT, consider reminding your users not to share private data—even “in private.”

[ Make sure that only the right people have access to the right things at the right times with TechBeacon's guide to identity governance. Plus: Download the report on IGA leaders. ]

And finally

Voodoo Child on a Korean gayageum (plus her 2013 prototype)

 Hat tip: MadCatMan


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Anthony Quintano (cc:by)

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]