Instagram Wasn’t Honoring Its Data Retention Rules Due to a Bug

• A researcher casually discovered a critical privacy flaw on Instagram after he got a backup of his data.
• Due to a bug, Instagram had kept files that he had deleted over seven years ago, including conversations.
• The researcher was awarded $6,000 even before the fix was made available to the public.

Nepalese security researcher Saugat Pokharel has discovered what he calls the “coolest and easiest” bug on Instagram by accident. Still, the users of the popular social media platform may not find it equally cool, though. As the man reveals now, Instagram was keeping user images and private direct messages many years after they had been deleted.

Pokharel reported the issue in October 2019, but it took Instagram until this month to fix it. For finding and reporting such a crucial bug, the researcher got $6,000 from the platform.

Back in 2018, Instagram introduced a feature that allowed users to download their data, as part of their efforts to comply with the GDPR dictations. Saugat just casually sent a request of this type and figured that Instagram sent him stuff that he had deleted as far back as in 2013.

In one characteristic case, he saw an image that he had deleted within a minute of uploading seven years ago, and yet Instagram still kept it all this time. The man then dug further and found deleted conversations, URL links for images shared in these conversations, and everything else that had been shared between him and his friends.

Facebook’s security agents figured that this was due to a bug in the CDN (content distribution network). Due to a misconfiguration, the deleted data was removed from public view but remained accessible if someone had a direct link. Also, while the data should have been deleted within 90 days, the system failed on that part too.

To fix the problem, Facebook’s engineers had to make framework changes on the backend systems. Reportedly, the reason it took the security team a total of eight months to release a fix was the coronavirus pandemic breakout and the disruption it caused.

If this story has anything to teach young bounty hunters, it is that not every finding hides behind intricate systems that need in-depth research. In this case, Saugat found something that was important due to the law regulations, and which could lead to Facebook paying many millions in GDPR fines if a hacker had exploited the bug.

Related: Instagram Finally Launches Web App for Direct Messages

The flaw was so simple that no actual technical knowledge was even required to find it and realize its worth. That said, when looking for a bug, start from the basic, simple, and most generic layers of a platform. Saugat was pleasantly surprised when he saw the contents of the backup sent by Instagram, and he was already on the way of getting his $6k reward.