Instagram pictures on private accounts made public by security bug

Huge numbers of Instagram pictures that their owners thought were private were in fact being exposed to the world until a bug was fixed this week.

If Instagram users posted a photo with their account set to public, and then changed that setting to private, the picture would remain publicly viewable, Quartz reported.

Instagram acknowledged the bug to Quartz last week and has since fixed it.

It does not seem to have support documents telling users how to navigate the complex status of pictures on Instagram, and how to be sure whether they are public or private.

Quartz said that it was probably a consequence of the “sort of complexity that ordinary users are required to navigate if they aim to control the online availability of personal information such as photos”.

Before the bug was fixed, users could see photos that were public through the Instagram website. Users could copy the link to photos, whether public or private, and use it to open any image.

Usually, linking to such images would bring up a message saying that the page could not be found. But if that photograph was taken while the account was public, and then changed to private, it could still be seen.

Those links also get posted to Facebook and Twitter accounts, if they are linked to the Instagram app. That meant that anyone following those links could do the same thing to see pictures, even if the profile was since made public.