Exclusive: Instagram Security Flaw exposed!
Your home, work and/or other significant addresses are at risk of being compromised due to an unintended consequence of Instagram's Photo Map feature.
Through my research, I believe that a significant number of users are unaware that once they use the Photo Map feature once, it is turned to ON AS DEFAULT from then onwards. Every picture you post from then onwards will be geotagged with your location unless and until you manually switch the feature off.
This becomes hazardous after enough posts are made as photo clusters and patterns start to emerge on your Photo Map.
I have found this effects MANY users, some with over 500k followers. The design flaw is dangerously precise and gives away your addresses on the very publicly accessible Instagram map.
Try it yourself. I can bet you can easily find many users that are effected. Your own account and addresses might even be compromised!
Photo Map Feature
Since Instagram introduced the Photo Map feature in version 3.0 (iOS) a little over 2 years ago, users have been able to tag their Instagram photos with a physical location and have their photos plotted on a map. That map is accessible by followers and if you're account is not set to private: the entire world.
It is a neat little feature and is quite handy if you travel a lot. You're easily able to keep a photo and locational diary of your life. Due to a few bad design decisions however, Instagram has left you vulnerable to exposing too much of your personal information if you are not 100% familiar with this feature.
How your home and work addresses can be hacked in Instagram's Photo Map
I'm sorry to have to put this technique out there, but the sooner everyone knows about this gaping privacy hole in Instagram, the faster they'll untag their compromised locations. "Technically" it is the users fault for providing the compromising information, but that hardly seems fair. The instructions below illustrate how easy and accessible users home and work addresses can be discovered:
1. Enter the users Photo Map. Choose a user who regularly uses the Photo Maps function and has a lot of photos on their Photo Map. You must be following them if their account is set to private.
2. Click on Photo clusters with the highest numbers of photos. Keep repeating this until you reach the street level in the Map and still have a large cluster of photos at that one address point.
3. You can verify the validity of that Photo clusters address on Google Maps with the aid of the street view function to determine whether it is a residential (home) or commercial (work) address.
4. Check that cluster of photos to see if they have a variety of photos within it (pictures of the beach, of restaurants, clubs - places which cannot all possibly be from that one address). This will indicate whether or not it is a "common uploading" location point.
5. Check individual photos in that cluster for a "Named Location" (click a photo then hit the info button labelled "i" on the bottom right of the photo) . If all or the large majority of photos within that cluster do not have a "Named Location" then you have probably found what you're looking for. It means that the user has not expressedly named the locations for the batch of photos and is higher than likely unaware that they have been geotagged.
It is usually pretty easy to tell if you've found what you are looking for or not. The logic here goes that, large clusters of "unnamed" photos on your Photo Map are posted unknowingly and by accident in locations that you're most commonly at: home & work.
The above is just a quick random sample of users that I found were vulnerable. I did so in a quick 10-20 mins. Scary right? Check your own account and try it with your friends. I'd bet you'll find just as many as I did, if not more.
Of course, not all users are exposed to this technique. Those who don't use this feature often or at all, and those who travel a lot or live in multiple locations are safe.
From my research and testing, I have found large sample of random users via the Explore page are vulnerable to this. I have even found "Popular" Instagrammers with upwards of 502,000 followers who plainly have their home addresses plotted very accurately on their Photo Maps.
I am certain that these users did not intend to do this, as who in their right mind would want to reveal such private information. Tech savvy or not, you are still vulnerable to bad design.
This is surely an unintended consequence of the Photo Maps feature as this privacy flaw only becomes possible after a period of time and extended use.
Do not misunderstand my position on Instagram; I love Instagram and believe it brings great value to many peoples lives. I have been a user long before it was cool, mainstream and subsequently acquired by Facebook.
However much I like Instagram, I would be remiss to just ignore this vulernability and not try and do something about it.
How is this even possible?
GPS Photo Metadata
Every photo you take with a modern smart phone will be tagged with Metadata details that you probably will never see. This includes what type of camera it was taken with, what type of phone, and of course GPS location data.
Geotagging on as default after first use
The first time you use the Photo Map function, it'll prompt you to access your Location data. From there, it will turn Photo Maps to ON as the default setting so that EVERY photo you post will be geographically plotted onto Instagram's maps. Sure, you can turn it off, but the majority of people do not realise it's even on - I get it Instagram, you're trying to "encourage" users to use your new feature.
Lack of prompts or notifications
Once geotagging has been used once, there are no more prompts to warn you that you are posting your photos geolocation. It is also possible to post photos to your Photo Map without actually "Naming" the location, which just adds to the problem.
Photos with missing GPS Metadata
While your phone will try and attach GPS metadata to all your photos, it is possible and likely for some GPS metadata to be missing. Bad Cell or GPS reception can be a cause. Also, pictures you download from the Internet usually doesn't contain any GPS metadata.
If Photo Map is on, and you try to post a photo that does not have GPS metadata, Instagram will automatically assign whatever location you're currently at whilst uploading that photo.
You can manually change this by naming the location, however Instagram will only let you chose from a list of places that you are currently near.
Humans are creatures of habit
While this is not the case for every user, especially the adventurous traveller types, the average user will most likely post the majority of their Instagrams from the same usual locations i.e. at home or at work.
Combination of factors above + time
When you combine all the seemingly harmless factors above, you get a dangerous combination of leaked privacy and information.
Photo Map (stealthily) turned on as default, with a lack of prompts leads to users who upload photos with missing GPS metadata, has Instagram automatically assign users current GPS coordinates. You do this for long enough and very obvious patterns and clusters emerge on the map - all whilst the user is unaware of what is happening.
How Instagram can address this problem
It is quite simple. Instagram needs to stop allowing photos with no GPS metadata to be posted onto it's users Photo Map. It will only allow you to choose a place that you are near at the time of posting anyway.
There is no logic or value behind doing this as it doesn't make sense tagging photos of the beach, restaurants etc at your home / other unrelated locations.
If a user is posting a photo which has missing GPS metadata, the very least Instagram can do is prompt / warn the user.
I actually tried to go through the proper channels and bring this up with Facebook through their Bug Bounty Program but they dismissed it saying it did not qualify. They insisted that there was nothing wrong with the feature. It went something like: "The fact that we include accurate location information along with photos on the Photo Map is by design." Again, technically the users fault, even though the features design is not very transparent or obvious.
In the end, it us up to the user to be savvy about their own privacy and safety. Keeping your information private is becoming harder by the day.
Please share this article with your friends and family and inform them of this vulnerability. Also, share your experiences in the comments below. Was it easy to find people's addresses? Were you effected?
This is the world we now live in, so stay safe people.
*The purpose of this blog post is purely for security research purposes and is to express my concern for the safety and privacy of the users of Instagram. Through this post I intend to raise awareness of the potential danger it can result in if privacy is not taken and managed seriously.
PERMISSION TO REPUBLISH: