A bug was reported recently on Instagram by a researcher, Saugat Pokharal, in a blog post. Saugat is a security researcher who lives in Kathmandu, Nepal. He revealed that he accidentally found out that the company retained the copy of data on its servers even when the users had deleted it from their accounts.
Instagram is a Facebook-owned social media platform used by users worldwide. It is quite popular among teenagers.
As per Saugat, he discovered the bug last year, that is, in October 2019, and reported it immediately to the authorities. The fix was, however, released in August this year. In his blog post, he has shared a thread of his entire conversation with the team from Instagram.
Instagram allows its users to delete data from their handles, including personal messages. The retaining period of such deleted data is reported to be 90 days. The users can have a backup of their data on their accounts, which can be accessed later by them on request using the Download your information tool.
The backup contains all the data, including followers, followings, personal messages, photos, archives, etc. and the user can access the data through some direct link.
The matter came into Saugat’s notice when he had asked for a backup of his account, and he noticed that the backup contained all the deleted data of his IG handle. Ideally, the backup should not contain the deleted data of the period exceeding the retaining period, but Saugat reported that it contained some old deleted data from his account. The backup contained the photos that he had deleted as before as 5-6 years. This only implied that deleted data was getting stored on the company’s servers somewhere.
He reported the issue as a security and privacy concern for a reward under the bounty program.
At first, the authorities reported it as a common issue, but on consideration, it seemed to be a severe threat to users’ privacy. Although the backup is provided only to rightful users, it still leaves them quite vulnerable.
Instagram Paid $6000 Bounty
After months of scrutiny, the company provided Saugat with a big bounty of 6000$ for reporting the bug and asked him not to make the issue public until a fix has been found. The fix was developed in August 2020, and the issue was then made public. He shared the following information regarding that in his blog post.
“Your report has pointed out an edge case where some content wasn’t properly deleted by our frameworks from our backend systems and was still accessible to the rightful owners as part of a DYI report. Based on your findings, we have now made framework changes to account for these types of issues to prevent this from occurring in the future.
Please note, we’re paying this out even though the fix is still pending. Please refrain from disclosing this publicly until fully resolved.”
The fix was supposed to be out in March, but the pandemic resulted in a delay, and it was revealed in August. The company showed an active investigation in the matter and a timely fix to the bug.
Data is the most important commodity today. It has the potential to leave anybody vulnerable to significant risks. Social media applications, especially the ones most popular like Instagram, which are commonly used by almost everybody, are the ones that contain the most data and are mostly accessible. Any concern about their security should be addressed seriously.