A few months ago I saw a news report that you could share private instagram pictures/videos/stories easily by extracting the url from the html code. This made it possible for people that did not follow your private account to view your content. I am going to test if Instagram has fixed this “feature” or if they left it in their backlog. If the latter, I will be stating how they could easily resolve this issue.
“The hack works even when images and videos in a private Instagram story, which are meant to last for only 24 hours, expire or are deleted. Linking URLs to content from stories seems to be valid for a couple days; links to photos on the feed remain live for potentially even longer. The same is true for stories that have purportedly expired.”
Hacking Begins
This is my private instagram account: https://www.instagram.com/jaype_rt/
And here is a link I was able to extract for the source code on instagram: https://instagram.fzty2-1.fna.fbcdn.net/v/t50.2886-16/69234542_2489955347929391_8639978899384758635_n.mp4?_nc_ht=instagram.fzty2-1.fna.fbcdn.net&_nc_cat=111&_nc_ohc=uetTBTW9COwAX-i31_l&oe=5E35AAA7&oh=50279a03b50b5dcdf367304b98c985a1
So as we have just discovered, instagram is being lazy.
Solution
This solution requires AWS. Instagram is owned by Facebook and they have their own server infrastructure. However, I can’t imagine they don’t have the ability to implement this feature if necessary.
AWS provides a service called “Signed URLs”
A signed URL includes additional information, for example, an expiration date and time, that gives you more control over access to your content. Signed URLs also have the ability to give a particular link certain access rights. For example, it could require the user to login in order to view the content in the link. Or it could also require the link be be accessed from a specific webpage/app. So instagram could make it possible for the content to only be viewable if requested from within their own domains.
Jean Paul
Jean Paul Blog 