A researcher found a serious “bug” in the Instagram platform that violated users’ privacy. Briefly, he found that Instagram retained users’ data after deletion including photos and private DMs. Instagram dubbed the issue as a bug that it later patched.
Instagram Retained Data After Deletion
Security researcher Saugat Pokharel found that Instagram did not remove users’ data after deletion.
Sharing the details in a post, the researcher explained that he found the bug accidentally while browsing through his profile. He attempted to download Instagram data for his account to have a backup. However, upon viewing the data, he could see information that he previously deleted.
As he stated in his post,
I unzipped the file and began to view all the files and folders one after another. To my surprise, I noticed a very unusual thing. The backup files had few photos which I deleted back in 2013…
Apart from photos, he could also view deleted chats in the backup with valid links for photos in the conversation.
Digging up even further, I found that the conversations that were deleted long ago were still viewable in the Message.json folder. There were URL links for the photos in the conversation files which when copied and pasted into the browser would generate valid signature URL and loads up respective photos/attachments which were sent and deleted 4–5 years back.
This wasn’t the case with a single account only. Rather he could reproduce the same on his other account.
Instagram Paid $6000 Bounty
Upon noticing the glitch (that he first observed in October 2019), Pokharel wrote to Facebook informing them of the matter.
After some back and forth conversation, Facebook admitted the existence of the bug. Also, for his findings of a sensitive bug, Facebook rewarded him with a bounty of $6000.
Hence, now, the bug no more exists as the tech giant has fixed the bug as of July 7, 2020.
Let us know your thoughts in the comments.