Security Researchers Saugat Pokharel has discovered an Instagram bug which saw user photos and messages remain on Instagram servers for a year after being deleted. Instagram quickly responded, and awarded Pokharel a $6000 bug bounty payout.
Pokharel discovered the Instagram bug after he downloaded a copy of his data, long after deleting photos and direct messages from the app. As reported by TechCrunch, he informed Instagram of the bug in October 2019. In 2018, Instagram launched the feature to download your data in order to comply with the European Union’s data privacy GDPR policies.
According to Instagram, it takes 90 days for photos and direct messages to be deleted off its servers, which isn’t entirely uncommon. However, this bug caused Pokharel’s data to be stored on the company’s server for more than a year. As Pokharel went through his downloaded data, he discovered messages and pictures which should have long been deleted from the app.
Instagram has said that the bug was fixed earlier this month. Speaking to TechCrunch, a spokesperson said: “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”
Twitter faced a similar issue last year. Users at one point were able to access direct messages that were deleted including those sent to and from suspended or deleted accounts using its own download tool.