The Instagram photo-sharing app retained people’s photos & private direct messages on its servers even after users removed them.
Instagram kept copies of deleted pictures & private direct messages on its servers even after someone removed them from their account. The Facebook-owned service admitted their mistake & gave a security researcher $6,000 for finding the bug.
Researcher Saugat Pokharel found the vulnerability as he downloaded his data in 2019 from the photo-sharing app, according to a report on TechCrunch. The data included photos & private messages that he’d previously deleted, alerting him to a problem, he explained.
“Instagram didn’t delete my data even when I deleted them from my end,” Pokharel told TechCrunch.
When he realised this had not been done, he reported the bug in Oct. 2019 to Instagram through its ‘bug bounty program’, Pokharel said. He explained to TechCrunch that Instagram fixed the bug earlier this month.
The flaw was in a feature that Instagram launched in 2018 in response to the European General Data Privacy Regulation (GDPR), which requires any companies operating in Europe to notify the authorities within 72 hours of confirming a data breach or face stiff financial penalties.
The GDPR, which went into effect on May 25, 2018, also has a data portability element requiring companies to give people access to their data.
Instagram’s feature allowing people to download their data came after its parent company Facebook providing a similar feature for its platform.
The flaw is not the first instance Instagram has been discovered saving people’s data even after they thought they deleted it, unfortunately.
In 2019, Security Researcher Karan Saini reported that the company keeps direct messages ‘for years’, even if people have deleted them. In addition, he found that Instagram also seemed to send data to & from accounts that have been supposedly deactivated & suspended.
A spokesperson for Instagram has confirmed the bug, & its fix, & commented that there has been “no evidence of abuse” of the vulnerability, observed the report.
“We thank the researcher for reporting this issue to us,” the spokesperson responded further.
$5 billion fine
That a social media app may have mishandled user data is not fresh news. Facebook has been under severe attack for its privacy practices, & even received a $5 billion fine from the US Federal Trade Commission (FTC) for spreading user data without their knowledge, in the infamous Cambridge Analytica scandal.
Twitter, too, has had issues with how it uses the data it collects from its users. The company is potentially is facing a US Federal Trade Commission (FTC) fine of up to $250 million, after it revealed last year that user emails & phone numbers were actually being used for targeted advertising.
Also, the video-sharing app TikTok, owned by Beijing-based parent company ByteDance Ltd., has made headlines recently for its own suspect privacy practices as per user data.
The app has been discovered collecting unique identifiers from millions of Android devices without their users’ knowledge, using a method previously prohibited by Google, because it violated people’s privacy. TikTok hid this using an extra layer of encryption, researchers concluded.
This news came following a discovery in June that TikTok persisted in reading Apple iPhone users’ cut-and-paste data even, even after its owners promised it would eliminate this practice in March. A security researcher discovered the app doing this in Feb.