A security researcher received a $6,000 USD (roughly $7,952.22 CAD) bug bounty payout after discovering a flaw that allowed Instagram to retain photos and private direct messages on its servers after they were deleted.
As reported by TechCrunch, independent security researcher Saugat Pokharel discovered the bug when he tried to download his data using the tool provided by Instagram. The Facebook-owned company launched the data download tool in 2018 to comply with Europe’s new GDPR regulations. When Pokharel downloaded his data, he found that images and private messages he sent and later deleted were included in the download.
It’s worth noting that companies often hold onto data after users delete it, but usually for a short time since it can take time fully delete data from systems. For example, Instagram takes about 90 days to completely remove deleted data. However, Pokharel’s deleted data remained available through the download tool for more than a year.
Pokharel reported the bug in October 2019 through Instagram’s bug bounty program. He says Instagram finally fixed the bug earlier this month.
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” Instagram told TechCrunch in a statement.
Twitter fixed a near-identical problem with its data download tool last year.