- Security researcher was rewarded by Instagram for finding the bug
- Instagram was storing data even after users deleted it
- Instagram says it removes everything after 90 days of deletion
A security researcher was awarded with $6,000 (roughly Rs. 4.5 lakhs) bug bounty pay after he discovered that Instagram retained photos and private direct messages on its server even after deletion, as per an online report. The researcher reported the bug in October last year through Instagram’s bug bounty programme, and it was fixed earlier this month by the Facebook-owned company.
While it is not uncommon for companies to keep freshly deleted data for a while until it can be properly removed from its networks, independent security researcher Saugat Pokharel found that Instagram’s servers still had the data that Pokharel had deleted more than a year ago, according to a report by TechCrunch. Instagram says that it takes about 90 days for deleted data to be completely removed from its systems, networks and caches, as per the report.
When Pokharel used ‘Data Download,’ Instagram’s data download tool, the researcher found photos and private messages with other users that he had previously deleted. He then told the same to Instagram and was awarded $6,000, said the report. A spokesperson for Instagram confirmed the incident in a statement to TechCrunch, saying that the issue had been fixed and that they did not find any evidence of abuse.
Instagram had launched its Data Download tool in 2018 amidst global concerns over whether the privacy of users’ information on social media platforms was being compromised. The tool allows users to export their photos, videos, archived stories, profile, comments and more. However, Instagram had reported a few months later that some of its users’ passwords had been compromised due to a bug in the Download Your Data tool that was subsequently fixed.
Instagram had also rolled out a feature last year that gives users control over the personal information shared with third-parties through Instagram.