Jan 12, 2015 · 1 minute

Instagram has fixed a vulnerability which allowed anyone with access to an image's URL to view the photo, even those shared by users whose accounts are set to "private." A Quartz reporter discovered the problem while using Instagram's API as a reporting tool.

The problem is thought only to have applied to Instagram users who shared an image to their private accounts while simultaneously posting it to services like Facebook or Twitter. This created an image URL which could then be followed by anyone back to Instagram.

That part had been previously disclosed. But before this update, Quartz discovered that images shared while an account was public could still be viewed this way even after the account was taken private, effectively limiting the privacy afforded by making the switch.

The episode highlights the difficulty of honoring a consumer's privacy settings. Instagram was unaware of the problem, and it required a specific sequence of events to be exploited, but countless "private" images could've been leaked to the public by exploiting this bug.

Companies that offer granular controls (like Facebook) are criticized for overwhelming consumers, while companies providing simpler tools (like Instagram) offer seemingly simple tools which are actually much more convoluted than they appear. As this vulnerability illustrations, neither option is perfect.

[illustration by Hallie Bateman]