Saugat Pokharel, an independent security researcher, has found a bug in Instagram’s systems, that resulted in the platform storing even deleted personal user data, that dates back to at least “more than an year”. Pokharel told TechCrunch, that Instagram acknowledged the bug and awarded him a $6000 bug bounty prize as well.
This was done by the use of Instagram’s “Download Your Information” tool. When Pokharel downloaded his data using this tool, he found that it contained photos and private messages with other users that he had previously deleted. He intimated the discovery to Instagram in October 2019, but it was fixed only earlier this month.
Now, one might argue that he should have expected to get back deleted data. After all, isn’t that what a “Download Your Information Tool” is supposed to do? While that is correct, and Instagram does admit to keeping user data for upto 90 days before complete removal, Saugat notes that some of the retrieved data was as old as “more than an year,” which breaks the platform’s claims rather flagrantly.
“We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” an Instagram spokesperson told TechCrunch on Thursday.
A similar bug was found in Twitter’s system as well. Last year, security researcher Karan Saini found years-old messages and other data of accounts that were suspended or deactivated.