Instagram kept copies of deleted pictures and private direct messages on its servers even after someone removed them from their account. The Facebook-owned service acknowledged the slipup and awarded a security researcher $6,000 for finding the bug.
Researcher Saugat Pokharel discovered the vulnerability when he downloaded his data last year from the photo-sharing app, according to a report on TechCrunch. The data included photos and private messages that he’d previously deleted, alerting him to a problem, he said.
“Instagram didn’t delete my data even when I deleted them from my end,” Pokharel told TechCrunch.
When he realized this, he reported the bug in October 2019 to Instagram through its bug bounty program, Pokharel said. He told TechCrunch that Instagram fixed the bug earlier this month.
The flaw was in a feature that Instagram launched in 2018 in response to the European General Data Privacy Regulation (GDPR), which requires any companies operating in Europe to notify the authorities within 72 hours of confirming a data breach or face stiff financial penalties.
The GDPR, which went into effect on May 25, 2018, also has a data portability component requiring companies to give people access to their data. Instagram’s feature allowing people to download their data came on the heels of its parent company Facebook providing a similar feature for its platform.
The flaw is not the first time Instagram has been found saving people’s data even after they thought they deleted it, however. Last year, security researcher Karan Saini reported that the company keeps direct messages for years, even if people have deleted them from their feed. Moreover, he found that Instagram also sent data to and from accounts that have been deactivated and suspended.
A spokesperson for Instagram confirmed the bug and its fix and said there has been “no evidence of abuse” of the vulnerability, according to the report.
“We thank the researcher for reporting this issue to us,” the spokesperson told TechCrunch.
Hearing that a social media app may have mishandled user data should come as little surprise. Facebook has come under heavy fire for its privacy practices and even received a $5 billion fine from the Federal Trade Commission (FTC) for disseminating user data without their knowledge in the now-infamous Cambridge Analytica incident.
Twitter, too, has had its issues with how it uses data it collects about its users. The company potentially is facing a Federal Trade Commission (FTC) fine of up to $250 million after it acknowledged last year that user emails and phone numbers were being used for targeted advertising.
Meanwhile, the popular video-sharing app TikTok, owned by Beijing-based parent company ByteDance Ltd., has garnered the lion’s share of the headlines lately for its own questionable privacy practices when it comes to user data.
The app has been found collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy. TikTok hid the practice using an extra layer of encryption, researchers said.
This news came on the heels of a discovery in June that TikTok persisted in reading Apple iPhone users’ cut-and-paste data even after its owners promised it would eliminate this practice back in March. A security researcher discovered the app engaging in this activity in February.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.
