Someone Figured Out How to See Instagram Stories in a Browser, and That’s a Problem

By

Last week, Instagram introduced its new Stories feature, which lets users post photos and videos that disappear after 24 hours. It’s just like Snapchat! Except that, thanks to a new Google Chrome extension from developer Alec Garcia, you can view those stories from a web browser, and not just the first-party app.

The technical details: While Instagram doesn’t offer a publicly accessible API endpoint for grabbing Stories data from the service, Garcia was able to reverse-engineer it by using a proxy to view SSL requests sent to and from his phone.

This allowed him to access API endpoints that supplied data for the Stories tray which now appears at the top of the app, and the contents of those Stories. With a few clicks, you can view Stories and download their contents.

Garcia’s resourcefulness is to be commended, but the fact that it was so easy for him to figure it out should be worrying. When Instagram rolled out its Stories, founder Kevin Systrom made a big deal out of calling Stories a “format,” rather than a feature — and therefore fair game for copying from Snapchat. But a fundamental quality of Snapchat Stories is the fact that they’re only accessible via the app, and not through browsers. This is a good thing — one of many dampening effects that give Snapchat its feeling of privacy and ephemerality. The promise of Stories, on Snapchat at least, is that they’re accessible in only one particular way.

If users are sharing more sensitive information, that raises the security stakes substantially. That someone was able to figure out how to download and view Instagram Stories from a browser less than two weeks after launch signals that Instagram and its parent company, Facebook, haven’t thought everything through. Case in point: According to our testing, viewing Stories using Garcia’s extension doesn’t send read receipts, allowing viewers to see and download Stories content without the original author knowing. That’s a huge liability for a company that wants to encourage people to share more content with reckless abandon.

For all of the gripes that Snapchat’s app-only stance engenders, it also gives itself and its users far more control and information about who is seeing their content. Instagram doesn’t seem to care about those risks — it just wants you to post more.