Instagram didn’t know it was storing deleted photos and direct messages for years. Researcher gets $6,000 USD bounty for uncovering the flaw

The cybersecurity community continues to report bugs on Instagram. This time, a researcher received a $6,000 USD bounty after discovering that the social network stores photos and Direct Messages (MD) even after this information was allegedly deleted.

Saugat Pokharel, an independent cybersecurity specialist, discovered this when he downloaded his data from the platform. This function was implemented in 2018 to comply with the European Union’s General Data Protection Regulation (GDPR); the downloaded information contained his photos and DMs deleted by himself long ago.

Although this is a common practice, and that Instagram claims it takes about 90 days to permanently delete any records from its systems, networks and cache, Pokharel discovered that its deleted information more than a year ago was still available through Instagram’s servers: “The social network didn’t really delete my data after I decided to delete it”, mentioned the researcher in interview with the TechCrunch website.

The flaw was reported in October 2019 through Instagram’s rewards program. Finally, the social network completely corrected this flaw a couple of weeks ago.

In this regard, a spokesperson for the company stated: “The researcher reported a problem storing messages and photographs, allowing the deleted information to still be available by downloading data. The problem has already been fixed, and we have not detected evidence of abuse of this error.” The spokesman concluded by thanking the report of the fault.  

This is not the first time a similar failure has been reported. A few months ago, Twitter fixed an issue that allowed users to access their messages that had been deleted a long time ago, including those sent to suspended or deactivated accounts, using the data download feature.