The vulnerability was discovered by researcher Saugat Pokharel when he downloaded his data from Instagram last year. This is how he came to discover that the data included photos and messages he had previously removed. The researcher got a reward of $6,000 for bringing this issue up through Instagram’s bug bounty program.
In a conversation with TechCrunch, Pokharel said that Instagram didn’t delete his data even when he deleted them from his end. Once he realized this issue, he reported it. This was in October 2019.
Instagram Vulnerability Explained
The bug existed in a feature that Instagram added back in 2018 in accordance with GDPR. The regulations required companies operating in Europe to notify the authorities within 72 hours of any data breach, or face the financial penalties. The GDPR feature allowed people to download their data in a way similar to what Facebook, the parent company, provided to its users.
This is not the first case of Instagram not complying with people’s data being deleted. Last year, another researcher, Karan Saini, discovered that the photo sharing service jept direct messages for years, even when deleted. Saini also revealed that Instagram sent the data to and from accounts that were deactivated or suspended.
The good news is that the bug discovered by Pokharel doesn’t seem to have been exploited in the wild.
Last year, security researcher Laxman Muthiyah discovered a critical vulnerability that could have allowed remote attackers to reset the password of Instagram accounts, thus obtaining full access to the compromised accounts. The vulnerability resided in the password recovery mechanism in the mobile version of Instagram.
The vulnerability was reported to Facebook but it took some time for Facebook’s security team to reproduce the issue as the information in the researcher’s report was not enough. However, the proof-of-concept video convinced them that he attack was feasible.