Independent security researcher discovers Instagram retained photos and chats after deletion, awarded with $6,000

Saugat Pokharel, an independent security researcher, found that photos and private messages shard through Instagram remained on its server even after deletion.

Independent security researcher Saugat Pokharel was awarded $6,000 (approximately Rs. 4.5 lakhs) bug bounty pay after he discovered that photos and private messages shared through Instagram remained on its server even after deletion.

The discovery came after Pokharel used ‘Data Download’, a feature launched in 2018 which enables users to view their account data and download them at any time to address privacy concerns, found photos and private messages that he has deleted long ago. According to reports by TechCrunch, the researcher found that deleted data from more than a year ago was still stored on Instagram’s server and was able to download them.

Advertisement

Although most companies do store data for a while after being deleted until it can be properly wiped out from its networks, systems, and caches, Instagram which says it takes 90 days for complete removal of deleted data has surprised Pokharel and other users with this bug.

The researcher reported the bug in October last year through Instagram’s bug bounty program and was fixed by the company last month, according to a statement by Pokharel given to TechCrunch.

A spokesperson for Instagram said that they have fixed the issue and have not found any instances of abuse. He also thanked the researcher for bringing out the problem.

A similar issue was fixed by Twitter last year using its own data download tool.

Last year, Instagram had also rolled out a feature to protect personal data from being accessed by previously discarded third-party applications.