The researcher found that Instagram retained photos and private direct messages that were deleted a year ago.
Nepali independent security researcher Saugat Pokharel has received a USD 6,000 bug bounty payout for finding a bug on Instagram.
Usually, it takes 90 days for Instagram to completely erase the deleted data from its servers and systems.
But Pokharel found that Instagram servers retained photos and private direct messages that he had deleted a year ago.
When he downloaded his data from Instagram through the ‘Download Your Data’ feature launched to comply with GDPR, the downloaded data included private messages and photos that he had deleted previously.
So, Pokharel escalated the issue to Instagram in October 2019 through its bug bounty program. However, he didn’t disclose the bug issue to the news media as he was supposed to reveal the information only after the bug is fixed, as per the Instagram policy.
Instagram fixed the bug earlier this month and allowed Pokharel to reveal the bug issue.
“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” said a spokesperson for Instagram.