Nepali independent security researcher Saugat Pokharel found the bug on Instagram and awarded a $6,000 bug bounty payout. He received the awarded money on February 7 but according to the company policy, the information should not be disclosed until the bug is fixed. Earlier this month, the company fixed the bug and allowed Pokharel to disclose the bug issue. He then reported TechCrunch about the issue and several other tech media published the news thereafter.
As reported by Tech Crunch
A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them.
Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.
He found that Instagram stored deleted photos and direct messages for more than a year. The company says it was due to the bug in its system and the bug has now been fixed. When he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted.
It usually takes about 90 days for deleted data to be fully removed from its systems on Instagram. But that did not happen in the case of Pokharel. Instead, Instagram still kept the deleted data for more than a year. After he found this bug, he reported the issue to Instagram in October last year via its bug bounty programme. Instagram said that they have fixed the issue and have not found any instances of abuse. The company also thanked the researcher for bringing out the problem.
Who is Saugat Pokharel?
Saugat Pokharel is a 21 years old Nepali Independent Security researcher. He is originally from Saynagja (Mid-western Part of Nepal) and currently living in Kathmandu. He is doing his Bachelor degree in Physics from Amrit Science Campus (Tribhuvan University). He runs several websites and spends time researching in web and technology securities