Instagram bug could have allowed others to read your direct messages

We live in a world where app developers are rolling out new features non-stop, constantly. (“Software is eating the world” and all that.)

Notwithstanding all the fancy new devops and agile processes out there, when you’re in a huge hurry, sometimes security flaws squeeze through unnoticed.

That’s what happened to Instagram last week.

Its Android developers proudly rolled out a brand-new feature that made it easy to set up a shared account to complement your private account. You’d be able to switch between up to five accounts without logging out and re-logging into another one. Cool, right?

But, according to the Android experts at Android Central, many users who tried this got an unpleasant surprise: if you shared one account with other users, they started seeing notifications about private direct messages to the account you didn’t share.

Unauthorized users couldn’t actually reply to these messages; trying to do so would simply display their own accounts. But they could see what-you-probably-thought-was-private information – not least, who you were swapping messages with, their profile photo, and some of the message (but not the photo itself).

Android Central said the bug seemed sporadic, so maybe that’s why it escaped testing. There are no reports of similar flaws on Apple iOS or Windows Phone.

Instagram told Android Central that the issue has now been fixed.

If there’s an update available for your Android Instagram app, now’s a good time to go get it. While it’s installing, maybe give a moment’s thought to the challenge of writing secure apps for platforms as huge and diverse as Android.

When an app’s security features really matter to you, it’s no crime to step back from the bleeding edge and be a “second adopter.”

A while back, Instagram’s parent company Facebook abandoned its notorious motto, Move Fast and Break Things. But things do still break.

And with that final observation, we must share the world’s best comic on this very topic.

Image of Instagram user courtesy of Denys Prykhodov /