
Private Instagram Posts Aren’t Private - coloneltcb
https://www.buzzfeednews.com/article/ryanhatesthis/private-instagram-posts-arent-exactly-private
======
codezero
In other news, you can record your screen and share it with anyone.

This is really not at all shocking. I would be really impressed if they had
bothered using some kind of one-time-key for each user who is authorized to
see the content, but given that you can just record your screen, or take a
screenshot, or, like, literally hold your phone up and show anyone, the idea
that there should be something more secure or authenticated in place doesn't
make much sense to me.

Do they want to add DRM to Instagram stories? Probably not.

~~~
professorTuring
That is, the risk of someone actually doing this is almost zero. For the
average Joe it is much simpler to capture the image or making a picture of the
image and re-sharing.

If you want your pictures/videos to be private, there is only one way: not
sharing them.

------
RcouF1uZ4gsC
Previous HN Discussions:

Commenter1: "Buzzfeed isn't journalism, it is just clickbait"

Commenter2: "No, BuzzfeedNews is completely different from Buzzfeed and they
are real journalism and not clickbait."

BuzzfeedNews: "Here's this clickbait article that you can save images in HTML
pages."

Commenter2: Facepalm

~~~
phinnaeus
I don't disagree with your overall point, but there is definitely a difference
between being able to save an image from a webpage and being able to share the
URL that image was loaded from and having it work for un-authenticated users.

~~~
majewsky
Besides, we still have a long way to go educating users just how easy it is to
accidentally share content to wider audiences than intended, if only because
one of the intended recipients can copy and redistribute everything so easily.
This is a point that I believe most people are still oblivious to and we need
to remind them continuously if we want to foster a better understanding of
privacy in the digital age.

------
throwaway617845
This is how CDNs always worked. The same “hack” can be accomplished by right-
clicking and saving the image to your computer.

~~~
paggle
Facebook’s image CDN doesn’t work like this. If I save the media URL and send
it to someone, it won’t work for them. I’ve tried — the URLs are user
specific.

~~~
MontagFTB
Sharing a URL to an asset is different than downloading that asset and sharing
it directly.

~~~
paggle
But this article is about sharing the URL. That’s preventable, which
screenshotting is not.

------
umeshunni
Can we have a blanket ban on BuzzFeed on HN? I don't see articles from Fox
News or The Onion on the front page often and they are arguably higher quality
than BuzzFeed.

------
glhaynes
Is there any identifying info included in the URL showing which account it's
from, etc? That'd be a significant difference from a screenshot which could
easily be faked. The write-up seems to imply there is:

 _This process differs from just taking a screenshot of a private account
you’re following for a few reasons. These public URLs contain some basic info
about the photo or video they link to, including details about how it was
uploaded, photo dimensions, and whatnot. They also prove authenticity; you
can’t fake one. Beyond this is the issue of deleted photos and videos being
stored on Facebook’s content delivery network after a person believes them to
be deleted._

~~~
Scaevolus
There isn't.
[https://www.instagram.com/p/B2MbtfSj6bY/](https://www.instagram.com/p/B2MbtfSj6bY/)
becomes

    
    
        https://scontent-sjc3-1.cdninstagram.com/vp/94ac7c0032c62b737da97916b366e595/5E13F33E/t51.2885-15/sh0.08/e35/s640x640/69709584_187663175587547_8508889683678841045_n.jpg
    
        i.e. https://$CDN_NODE.cdninstagram.com/vp/$SIGHASH/$TIMESTAMP/$BUCKET/.../$RES/$RANDOM_$RANDOM_$RANDOM_n.jpg
    

[https://www.instagram.com/p/B2LkRQcgKDQ/](https://www.instagram.com/p/B2LkRQcgKDQ/)
(same account!) becomes

    
    
        https://scontent-sjc3-1.cdninstagram.com/vp/ab180f62cd8055dcd55baf43a714d789/5DFFA87A/t51.2885-15/sh0.08/e35/s640x640/69130313_151844792582781_4219907330704607536_n.jpg?_nc_ht=scontent-sjc3-1.cdninstagram.com
    

Which doesn't share any distinct identifiers in common, apart from the generic
resolution/bucket specifiers.

------
juddlyon
Absolutely nothing within a thousand miles of FB can be expected to be
private.

~~~
autoexec
Nothing on social media period.

~~~
TooCleverByHalf
Nothing on the internet period?

------
baby_wipe
Articles like this make me think there's an opportunity for a news aggregator
that just scrubs/edits click-bait titles. It's a big part of what makes HN
useful.

------
ipsum2
tl;dr: You can inspect the webpage and copy the image source from a private
photo. This is no different than just taking a screenshot from the page.

Quality reporting from Buzzfeed news.

~~~
carbocation
However, if accessing the photo required authorization, then this would be a
non-issue, since non-authorized users would not be able to access the photo in
this way.

That still wouldn't affect the fact that your authorized users could copy or
screenshot the photo, but it would mean that the company itself wasn't serving
photos publicly when the users specifically instructed the company not to do
so.

------
zelly
ok I'll just brute force every 40 character hex string to find all the CDN
urls and epically pwn everyone, thanks buzzfeed

