Critical Instagram error exposed by security researcher

By Rahul Vaimal, Associate Editor
  • Follow author on
Instagram Image
Representational Image

When Saugat Pokharel, a security researcher, asked Instagram for a copy of images and direct messages sent from the app he was provided with data which he deleted more than a year ago, suggesting that the details had never been fully deleted from the servers of the photo-sharing app.

Instagram claims that this was due to a bug in its system that is resolved now, and gifted Pokharel with a $6,000 bug reward for pointing out the problem. Pokharel found the bug in October last year and claims it was addressed earlier this month.

“The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us,” said a spokesperson from Instagram.

The Data Download Tool allows users to export their images, videos, archived posts, profile, info, comments, and certain messages that can be stored for longer, although it may take a few hours to days to get it ready for download.

It’s not clear how prevalent this issue is, and whether it affected all or only a few of the Instagram users, but it’s definitely not an uncommon issue. Whenever we remove data from online services, there is usually some undefined time period until the data is fully deleted from the servers on the internet.

The company says it typically takes about 90 days for Instagram to delete data altogether. In the past, however, security researchers found similar problems with other sites, including Facebook, which maintained direct messages from users for years after they were presumably deleted.

The problem was only revealed in this case, because Pokharel had the option of downloading a copy of his Instagram data. This download tool was launched by the Facebook-owned platform in 2018 to comply with the EU (European Unions) data privacy GDPR regulations.

The GDPR mandates that the EU citizens have a ‘right of access’ to their data, enabling them to request a copy of all the information that a company stores about them within a fair time period.

YOU MAY LIKE