Instagram shared account bug exposes private notifications

The Instagram app (just the Android version, it seems) has a new bug that could leave some users' private notifications open to other (unauthorized) users. The bug apparently involves the new multi-account feature, which allows someone with more than one Instagram account to add them to the mobile app. Users with a shared second account are receiving notifications intended for the private (non-shared) accounts belonging to other members of the shared account.

The issue is a little tricky to explain. Imagine you and your coworkers all have your own private Instagram accounts. Imagine that the company you work for also has an account, and all employees have access to it. You and your coworkers add the company's Instagram account to your app as a secondary account (joining your personal one).

In that arrangement, and assuming you're using the Android app, you would receive push notifications belonging to your coworkers' private accounts because you all have the same shared company account added in your apps. It's a big privacy concern, especially considering the push notifications include Instagram Direct messages.

Fortunately, tapping the push notifications just takes the user to their own account, limiting the degree of privacy violation (though, of course, the notifications can include clips of texts, including from direct messages). Reports indicate the issue isn't entirely consistent — some users see the errant notifications more often than others, and some received them for a little while before they disappeared.

SOURCE: Android Central