I've been thinking about image privacy on social media. If you set up your S3 bucket to be public while building a platform, how do you ensure that people who aren't following a private account can't see the associated images? I noticed that with platforms like X/Twitter, they don't seem to care about this issue. I can easily view images from private accounts in an incognito browser, which doesn't seem secure at all. Instagram, on the other hand, doesn't allow you to 'copy image address' for images in their web version. How do they handle image loading? Are they using some trick to avoid including standard tags in their frontend? And if I were able to reach the image, is there a way to programmatically control access based on follower status?
4 Answers
It's definitely conceivable for a server to decide whether to serve an image or not based on user cookies. Many platforms provide hard-to-guess URLs or use cryptography to generate special temp access URLs, allowing a CDN to serve images without needing to involve the app's authentication logic.
If you inspect the elements on Instagram, you'll see that they do include traditional image tags, but they overlay them with transparent elements. So when you right-click, you're not getting the image's context menu, which creates that illusion of not being able to copy the image address. It's a neat little trick!
Ah, thanks for the clarification! That makes sense.
They're probably using `pointer-events: none` to prevent the image menu. Plus, their URLs can have tracking data in the query parameters. I actually created a scraper that can find those raw URLs.
Instagram does use `` tags but generates their URLs dynamically with a short expiry time. You can access them publicly when you're logged out, but once you have a cookie for authentication, it's somewhat straightforward to manage access based on follower status through a middleware system.
That's interesting! Does X use a similar method? I find it odd that I can share images from private accounts, but I guess that's just like taking a screenshot.
Instagram uses signed URLs for images, which allows temporary access based on certain conditions. These URLs expire quickly, making it more difficult to directly share images.
Exactly! So they might just allow their images to be accessed temporarily, yeah? I wonder if they replicate these images in a secure space elsewhere.