Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack' -- but Still, Heads Up (gizmodo.com) 99

An anonymous reader shares a report: Here's another reminder to be wary of what you share online: BuzzFeed News noticed on Monday that the way Instagram and its owner Facebook serve up media content allows for anyone who has access to a private photo or video to root around in the HTML code and copy-paste a direct link to it.

BuzzFeed wrote: "The hack -- which works on Instagram stories as well -- requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user. According to tests performed by BuzzFeed's Tech + News Working Group, JPEGs and MP4s from private feeds and stories can be viewed, downloaded, and shared publicly this way.
...
Because all of this data is being hosted by Facebook's own content delivery network, the work-around also applies to private Facebook content. Here's an example of such a link to a private Instagram image, per the Verge: https://scontent-lax3-1.cdninstagram.com/vp/0907741760b14f49ebbb7d45f1e4871e/5E092026/t51.2885-15/e35/s1080x1080/67509661_124712232143789_4496164141880255274_n.jpg?_nc_ht=scontent-lax3-1.cdninstagram.com "


BuzzFeed is calling this a "hack," but what's really happening is Internet 101. When an authorized user loads a piece of content on Instagram in a browser, it's trivial to look in the HTML and find a direct URL to where the image or video is sitting on a server. This is not exactly uncommon for the content delivery networks (CDNs) that serve as the backbones of big websites; the simplest and least computationally expensive method of restricting unauthorized users from accessing the image or video in question is to make its URL very, very long.

This discussion has been archived. No new comments can be posted.

Loophole That Lets People Share Your Private Instagram Pics and Stories Isn't a 'Hack' -- but Still, Heads Up

Comments Filter:
  • by SirAstral ( 1349985 ) on Tuesday September 10, 2019 @10:10AM (#59177224)

    I heard about a nifty trick that defeats this loophole.

    Someone told me... now listen real closely... that if you don't give social media all of your private information and pictures its a lot harder for them to sell it or leak it to someone else.

    I might live my life as though it is written in the sky, but I am not going to take time out of my busy day to write it up there myself.

    A Fool and their money/privacy/liberty/integrity are soon parted.

    • Re: (Score:3, Informative)

      by kuromaru ( 5470892 )
      it'd make it harder... but not impossible... it's a public secret that facebook keeps a file on you even if you've never registered on their platform
      • it's a public secret that facebook keeps a file on you even if you've never registered on their platform

        Does the scope of Facebook's profile differ meaningfully from that of the profile that Google or any other major ad network keeps on visitors who aren't logged in?

        • Yes. Ad networks keep track of the data you've given them, which can be enough to de-anonimize anonymous data.

          Facebook's shadow profiles are bits of data they've received from those around you, that are known to not belong to them, but some "unknown" "shadow" person. Some of this shadow data includes names and relationships, because Facebook does allow relationships with people who don't have profiles on Facebook. Photos may also contain unidentified faces, that can be identified via proxy and facial reco
        • It does, in fact. Facebook's "shadow profile" is an incredibly in-depth profile of you, an individual, including not just your online activity, but your religion; religious beliefs (which are often different from one's professed religion); sexual preferences (not simply straight or otherwise, but Facebook can make educated guesses about things like position preferences, kinks and fetishes, etc.); political views; friendships; drug use (legal and illegal); and even your mental and physical health profiles.

          • by tepples ( 727027 )

            Facebook's "shadow profile" is an incredibly in-depth profile of you, an individual

            If you have citations from a reliable source for this, I'd be interested to read evidence that Facebook's shadow profile is in qualitatively greater depth than the shadow profile of individual viewers maintained by any other major advertising and analytics network.

        • So one huge shitty multinational mega corp does evil shit so that makes it ok for all of them to do it? Please tell me that's -not- what you intended.
          • by tepples ( 727027 )

            What I intended is that more engineering and/or advocacy work needs to be put into avoiding being tracked by all "huge shitty multinational mega corps," and that concentrating on Facebook in particular is counterproductive.

            • Engineering won't help. Creating more privacy tech is the exact opposite of every social media corp's reason for existing. Their business models require they violate privacy as deeply, efficiently, and often as possible. If by advocacy you mean laws with teeth on them that make my data MY DATA and I get to punch out Zuckerberg for being a privacy invading prick then I'm with you. Like maybe hitting him and other social media CEOs and other top level directors personally with fines and jail time per viol
              • Engineering won't help. Creating more privacy tech is the exact opposite of every social media corp's reason for existing.

                Then this engineering would have to be done by organizations with no direct financial ties to the social media industry. One organization I often see mentioned in this context is Mozilla.

    • by fermion ( 181285 )
      Everything online should be considered public. You share it with someone, they share it, then it is everywhere.

      This reminds me of when Snapchat came out and claimed you could now sext photos without the risk of them ending up everywhere. That is unless the receiver did a screenshot.

  • Oh wow (Score:4, Insightful)

    by ChoGGi ( 522069 ) <slashdot @ c h o g g i.org> on Tuesday September 10, 2019 @10:10AM (#59177226) Homepage

    Buzzfeed finally figured out what that "Inspect" menuitem is for...

  • In fairness... (Score:5, Informative)

    by Shaitan ( 22585 ) on Tuesday September 10, 2019 @10:15AM (#59177246)

    It is actually pretty easy to avoid this bug on the part of Instagram they are just too lazy to do it. And most sites do some level of content protection so the assumption would be that Instagram and Facebook would as well. Failing to do so could legitimately be called a security bug and therefore exploiting that bug does constitute a (albeit lamely easy) hack.

    They could block by referrer for starters. The links could include a request specific element and the content retrieved from db at need with the request specific element expiring on each load or even within a given time window. Those are just a couple off the top of my head that we implemented regularly on warez sites in the 90's. Neither is really expensive (like I said, we could manage that much for free on warez sites in the 90's) but FB is cheap and lazy because lazy is cheap. It isn't like they give a damn about your security and privacy. Their entire business model is selling out their users.

    • Re:In fairness... (Score:5, Insightful)

      by rioki ( 1328185 ) on Tuesday September 10, 2019 @10:27AM (#59177292) Homepage

      Maybe they did the cost benefit analysis and came to the conclusion, that you can just make a screen shot and share that... so why bother with more layer of obfuscation and "protection".

      • by Shaitan ( 22585 )

        That can be blocked as well. That is always how security works, the more costly in terms of effort to breach the fewer breach there will be. Far fewer people will think to screen shot the image than will right click and copy the url. It would also heavily limit roboscraping. Even fewer would access the content if you just blocked screen captures in the app.

        • No, it cannot. In what world do you think the browser can stop the OS from taking a screenshot?

          • by Shaitan ( 22585 )

            The mobile one.

            • by Shaitan ( 22585 )

              Actually the desktop as well. Try taking a screenshot of a movie you are watching on netflix sometime.

              • I just tried this. I was able to screenshot any netflix show I put on without a problem. Same with Amazon Prime and Hulu...
                • I just tried this. I was able to screenshot any netflix show I put on without a problem. Same with Amazon Prime and Hulu...

                  DMCA violation detected... dispatching attack helicopters immediately.

                • by Shaitan ( 22585 )

                  Sure, you can take the screenshot but the video image is all black. They use DRM. You might be using some platform/browser/player combination that prevents the DRM from working but in general DRM technology prevents this. This is exactly what DRM is for, allowing content providers to prevent these sort of side-channel content grabs.

                  • The video image wasn't all black. The video image of whatever was on the screen when I called for the screenshot was displayed. It's just chrome running on a standard windows laptop, perhaps the most common OS/Browser/Player combination possible, so I'm not sure what to tell you...

                    Of course, even if it's still there and working, all that DRM can't defeat an analog screenshot (point camera at screen). Which most folks figure out before trying a new browser. Hence: you can never truly block a screensho
                    • by Shaitan ( 22585 )

                      Actually you can embed sub-channel watermarks in the audio and video which are supported by DRM compliant (something that is a licensing requirement for chips which implementing decoding of the most popular codecs) playback devices. When the embedded content source fails to match the source the player is reading from it blocks playback.

                      One such mechanism is audible, another example is built into US currency and digital imaging devices as well as image manipulation programs.

                      As for the screencap, out of the b

                    • As for the screencap, out of the box that combination absolutely does not allow a screencap of Netflix. I'm not sure why you'd assert otherwise. Trolling?

                      You're being stupid. The ability of Netflix to use DRM is dependent on the OS and the browser. On windows 7 it's absolutely possible to screenshot Netflix. Same on many if not all versions of Mac OSs. Same on Linux. That's all without even looking at the workarounds which will allow you to do it on operating systems which do enforce DRM.

                    • by Shaitan ( 22585 )

                      "You're being stupid. The ability of Netflix to use DRM is dependent on the OS and the browser."

                      No you are being deliberately obtuse and pretending something about my argument requires it to be particularly difficult or impossible to bypass the restriction. It isn't particularly difficult to bypass a locked door either but the number of people who walk in drops when I close it, drops further when they see a lock, drops further when that lock is actually locked and would require a few seconds and the right t

                    • Yeah, you're definitely being stupid.

                    • As for the screencap, out of the box that combination absolutely does not allow a screencap of Netflix. I'm not sure why you'd assert otherwise. Trolling?

                      Because it is literally the results I observe when trying to verify your assertion screenshots don't work: https://ibb.co/0cGQ90T [ibb.co]

                      All I did was the standard CTRL+SHIFT+Print Screen to grab the active window, and pasted it into paint. So I'm trying to figure out if you're the one trolling...

                    • Apparently it's also possible on Windows 10 using Chrome: https://ibb.co/0cGQ90T [ibb.co]
                    • Actually you can embed sub-channel watermarks in the audio and video which are supported by DRM compliant

                      Mostly true.

                      (something that is a licensing requirement for chips which implementing decoding of the most popular codecs) playback devices

                      Completely false. DRM exists on a level separate from the codecs, and chip vendors will gladly sell you hardware-based decoders with no DRM licensing requirements whatsoever. DRM requirements are primarily put in place by the content owners, secondarily content distributors (and then only because of the content owners).

                      When the embedded content source fails to match the source the player is reading from it blocks playback.

                      No, that's not how it works either, at least not with any major streaming used today. Due to CDNs (shifting end points from which the client draws pieces of content) and mobile an

                    • It is still illegal to do. Just like walking in my closed and locked door.

                      Liar liar pants on fire!

                      Lying is immoral, just like murder. Murderer!!!

                    • The ability of Netflix to use DRM is dependent on the OS and the browser.

                      and the hardware and drivers too.

                      at one end, you have pretty straightforward video player, where the video is simply decompressed in software and rendered into the OS' frame buffer. You cap screen shot everything just by dumping the framebuffer.

                      At the other extreme you have hardware decoder that entirely process the video stream on-chip, and then composite the final image in hardware, while the screen is being scanned to the output. In that case the screen shot having a black window is accurate as that's al

              • I'm sorry you use such a user-hostile OS. This is the OS blocking you, not the app. The app is just asking for it. The OS has to provide the capability. I've not seen an OS that does, but I always use Linux, so...

            • I am still able to get screenshots on Android even if the app doesn't allow it. It's not that hard.

          • i think they meant their mobile app (lots of apps block screenshots)... but instagram could use that weird drm thing in browsers to prevent you from screenshotting (as someone else mentioned, netflix does that)
        • Comment removed based on user account deletion
          • by Shaitan ( 22585 )

            Well now your roboscraping is forced to perform far more expensive and slow image manipulation whereas with the current system you can could scrap with text manipulation tools. The same computing power that would be required to scrape 5 a second from images could scrap 20000-100000/s from text.

            Which is the point, every layer of security raises the cost and effort required to break the rules. There is no such thing as security that completely protects something. In this case they've made it so any 5 year old

            • Comment removed based on user account deletion
              • by Shaitan ( 22585 )

                "And they will take their time to do it because overcoming a restriction is naturally rewarded. People generally resent restrictions and will self-motivate and sacrifice to overcome them."

                You are confusing a minority subset of the population with the population at large. People bitch and moan about restrictions, they don't sacrifice to overcome them. The sad truth is most people are cattle. So much so that getting permission from the group they are moaning at to stand in a group and moan together about thin

              • by Shaitan ( 22585 )

                P.S. If people actually worked how you suggest nobody would lock doors. Almost all door locks are trivial to bypass, it actually takes less additional time than your google search than using the intended key to open most locks. A quick google search tells you how to do it. Yet most people don't know how, of the small subset who do, most have never done it, of those who have most do it to try it somewhere permitted and never carry tools or use the skills opportunistically. As a consequence, simply locking a

      • by Shaitan ( 22585 )

        Other than preventing roboscrapers and raising the bar for breaching privacy a cost benefit analysis is exactly why I'd expect them to do this. If someone were to take a screen shot and upload it somewhere to share, that someone or some other party is paying for the bandwidth for all those shared accesses. If someone scraps the url and shares that around it is facebook who pays the bill. Maybe it is chump change relative to what they pay for bandwidth but I doubt it is chump change in isolation.

    • by ljw1004 ( 764174 )

      It is actually pretty easy to avoid this bug on the part of Instagram they are just too lazy to do it.

      Here's another nifty trick. When you're viewing someone's private post, hit the PrntScrn button on your keyboard. Then launch Word and do Edit>Paste. Then save the Word doc to a location you'll remember. Then open up your email, and send the Word document as an attachment. This will defeat even non-lazy sites.

      • by Shaitan ( 22585 )

        It won't defeat mobile protections which is where these apps are typically used and it won't defeat a site which uses basic drm like netflix. It also costs a hell of a lot more to roboscrap content that way and when you do manage to share you will have to foot the bill for that sharing rather than the content provider.

        Every layer of obstacle adds a certain amount of benefit, it raises the bar. Just requiring them to take those extra steps increases cost to scrap by orders of magnitude and would reduce the t

      • by ChoGGi ( 522069 )

        Or press win+printscreen and it'll stick an image in your "Pictures" folder

    • What's to prevent someone from writing a script that churns through all of the possible URLs to see what's there?
      • What's to prevent someone from writing a script that churns through all of the possible URLs to see what's there?

        Like the old Photobucket hack. [wikipedia.org]

      • by Shaitan ( 22585 )

        Being one time use. Photobucket just generated pseudo-random strings that stayed valid as long as the album existed. You could simply create a set of resource locators that a fetching script will honor exactly one time... that content load. An authorized party refreshes the page, a new set of resource identifiers from some suitably large address space are generated and used up when all the images load the second time.

        All of these "but what if hacks" and loopholes ignore one simple thing. The "protection" ne

  • No kidding. (Score:4, Insightful)

    by garcia ( 6573 ) on Tuesday September 10, 2019 @10:16AM (#59177250)

    This is Slashdot and I have been around long enough to know better but...this is news for nerds?

    Everyone has known about this since the beginning of time and this is not something worth of attention.

    • It's like the journalist who discovers that it's really hard to buy a gun [dailysignal.com] than cough medicine at Wal-Mart. The news is not that it's hard buy a gun, as many experienced gun owners already know. The news is that a journalist thought she could buy a gun like cough medicine.
      • The majority of press in the US claims that. From the discussions here, even some slashdotters believe that.

    • You have to already have access. So you can just download and repost, rather than getting nerdy on it. Since when do web hacks show you the hard way to do things?

  • I have never liked "free" picture sites, be it Instagram, Flickr, or anything similar. You get what you pay for, and oftentimes the price you pay is losing ownership of the photos, where, in theory, anything you upload there can be sold as a stock photo.

    As an alternative, $3.50 a month can get you a small LightSail VM on AWS with WordPress and a gallery extension. Add Borg Backup, Borgbase, and a cron job, and you have ransomware-resistant backups. This not just provides photo storage, but allows you to

    • more than your pictures being sold as a stock photo i'd be worried about gathering data about you and training their AI with your selfies... Wordpress isn't exactly the most secure content manager, though. Every now and then I read about another exploit... If you really want to be safe, just keep your data off the internet.
  • by Jason Levine ( 196982 ) on Tuesday September 10, 2019 @10:28AM (#59177294) Homepage

    Just another example that you shouldn't share anything online that you wouldn't want everyone to see. Even without this hole-not-hack, someone could take a screenshot of your "totally private Facebook message/Instagram photo/text message/whatever" and send that to everyone. Don't think that just because the initial communication is "you to one person" that nobody else will ever see it.

  • by argStyopa ( 232550 ) on Tuesday September 10, 2019 @10:33AM (#59177316) Journal

    ...I mean, if you're a narcissist that lives vicariously on instagram, really we're just talking degrees of oversharing, if anything.

    "Oh, I only wanted that picture of my tits to go to THOSE 134 friends, not that other group of 14 people...NOW I AM TEH MORTIFIED!"

    • Whether or not you believe there's value in the functionality, the fact that FB requires their users to login to post or view such content, means that user-level permission is trivial to implement. We've been doing it since the 1970s with user and group file permissions in Unix. FB was either too lazy or incompetent to do it, or they didn't want to do it.
    • I don't use instagram, but the one person I know is on there is AOA Hyejeong, because some of her videos get reposted to youtube.

      For famous people, it makes sense that they might have shared things with a small group of people that might be professionally embarrassing, but are normal human things. Not like in your example, where it is just a personal embarrassment, but there are totally normal things that people might talk about or share that would be problematic to become public. Like a behind-the-scenes p

  • I guess... back in the day you only had one profile photo. But you could use curl to loop through all of a _0001_n.jpg and get all of them.

  • Re: (Score:2, Troll)

    Comment removed based on user account deletion
    • I heard of this other hack from "back in the day" where you could open the hood of your car and change the oil and filter yourself! Don't let GM know about this!

      K , I won't let them know that you have to get under the car too.

  • I speak as someone who knows a fair bit about computer science but am not a web server person, so go easy on me...

    Is there some reason why restricting access to images/content is "hard"? The OP says "computationally intensive" but is it really?

    I ask because I was recently evaluating WordPress as a content delivery platform and was surprised to find that they also don't implement image access restriction on the basis of logged-in user identity (at least not in default/vanilla setups).

    This was surpri
    • Comment removed based on user account deletion
      • And this is an arms race that CAN'T end, because companies are running on "fuck the customer, WE are the masters-KNOW YOUR PLACE". Nearly every informed person DO NOT WANT this 'brave new world' that these companies are hell bent on shoving down our throats, and even the little teenybopper with the IQ of a brick starts to get the message when she discovers she can't save or forward the cute little kitty pic she is so ga-ga over..

        Yes, the brownshirt control freaks are the ones who are keeping all th

        • Oh bullshit, install linux, stick to open source, run your own private cloud, and you'll have no more excuses for your pathetic cynicism.

          The sky is not falling, you're merely standing under a dilapidated corporate awning.

    • It is like saying that a canned olive is expensive because if you include one less olive in each airline meal, you save some small amount of money that sounds impressive when quoted without explaining the total cost of all the meals.

      It is the difference between static HTML and the least-computationally-intensive dynamic page load. They save money, and it looks good on a few people's resumes, but the actual cost as a part of the costs of serving up the content is still very low.

      Wordpress doesn't do that stuf

  • Works on all the websites . . .

    Right-Click on the picture
    Select View Image
    The URL of the image appears on the Address Bar . . .
    • Just hope there aren't any transparent overlays and you can still get the picture with Javascript disabled.

      Failing that, print screen+copy/paste to your favorite 'paint' program usually works.

      • If you'd install an ad-blocker, you'd be able to get rid of that transparent overlay with two clicks, three if you like to confirm before applying.

    • by jaa101 ( 627731 )

      No it doesn’t work on all the websites. Try viewing an image attachment on Gmail or similar. Copy the image URL, log out, and try viewing the image again. It won’t work. The issue being reported here is that, images that supposedly require you to be logged in to view can actually be viewed by anyone. They’re cheaping out by using only long URLs as a security mechanism instead of properly requiring a logged-in session cookie before serving the image.

  • Taking a screenshot of photos, or downloading the video and sharing is faster and sometimes better. Then at least you have a copy of it.

    I do very little on IG (only in my browser), and don't use FB at all.
    Just yesterday I sent a link to an IG video to some friends on a whatsapp chat. They said "oh, that's a private account". I still had the page open. View Source, Ctrl-F, search for mp4, copy the first url that has the mp4 in it, go to the terminal: wget -O /tmp/funnyvid.mp4 , then attach /tmp/funnyvid

    • "Taking a screenshot of photos, or downloading the video and sharing is faster and sometimes better. Then at least you have a copy of it."

        Because anything can disappear from the internet at any time.

        There were many times I kicked myself because a video, utility, or whatever vanished without any warning and I didn't bother to save a copy of it.

  • It is a simple hack, so to speak, but you should always be happy when someone discovers something new and exciting for them. If you want to discuss if this is a hack or not, be my guest.

    However, the reason we should be discussing this is the horrible practice of instagram of not protecting their users content as advertised. They say they give only privileged users access to resources, but they make those resources public.

    They should know better, especially since they already do have an authentication scheme

    • It is sad how much whining and blaming there in on here, with so few recognizing, as you did, that this story is only about unfulfilled promises.

      Of course it is an impossible promise. But it is surprising that they didn't even try to come as close as is possible.

      And perhaps reckless.

  • "...That Lets People Share Your Private Instagram Pics and Stories"

    Lol, today I learned that some people think their pictures on Instagram are "private". That's adorable.

    No really, I wish I could give each and every one of them a hug and tell them it'll be okay.

"If value corrupts then absolute value corrupts absolutely."

Working...