Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Instagram Retained Deleted Photos and Messages on Its Servers for Over a Year

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,043
12,593


Instagram has awarded a security researcher a $6,000 bug bounty payout after he found photos and private direct messages on the platform's servers that he had deleted more than a year ago (via TechCrunch).

Saugat Pokharel discovered that his content hadn't been removed in October after downloading a copy of his data from the photo-sharing app. Instagram introduced the download option two years ago to comply with the European Union's data privacy GDPR regulations.

Instagram said the reason Pokharel's information had never been entirely removed from its servers was down to a bug that it's now fixed.
"The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram," a spokesperson for Instagram told TechCrunch. "We've fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us."
The issue is almost identical to one that Twitter fixed last year, in which a security researcher discovered years-old messages in a file from an archive of data from an account that was no longer active.

Although the retrieval of deleted data was bug-related in both cases, it's worth remembering that when you opt to delete content from social media accounts, it can still hang around on company servers for some time.

Twitter says that accounts that are deactivated and deleted are removed along with all of their data after 30 days, while Instagram says it takes about 90 days for deleted data to be fully removed from its systems.


Article Link: Instagram Retained Deleted Photos and Messages on Its Servers for Over a Year
 

12643

macrumors member
Jul 5, 2018
51
369
The bug isn’t that they failed to delete the photos; that behavior is intentional. The bug is including the evidence in your data download.

Just read their own words “The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram”
 
Comment

laptech

macrumors 6502a
Apr 26, 2013
647
923
Earth
Interesting how non-compliance with privacy data laws amongst companies is always the cause of a 'software bug'. For those who have worked in companies that have large customer databases knows that when a request for a customer record is to be deleted, the computer tech who's job it is to delete the record is also required to make sure that the data is actually deleted. It is standard practice within companies that hold customers data to have polices and procedures in place that instruct computer techs on what they should with regards to deleting customer data and confimring that the customer data is actually deleted.

If the law requires a company to delete customer data off their server but that data is still on the server many months later, it's not due to a 'software bug', it is due to the company having no intention of deleting the data in the first place and only does so when they get caught out.
 
Comment

GtrDude

macrumors 6502a
Apr 17, 2011
526
561
Well, they're owned by Facebook. Don't know what people are expecting here.
It's the very same people who do some of the most spying that takes place on the internet along with Google.
They didn't buy Instagram because they were feeling nice and wanted to become the world host for a bunch of photos and videos.
This is Facebook we're ultimately talking about.
 
  • Like
Reactions: Rojaaemon
Comment

Jyby

Suspended
May 31, 2011
720
617
Recently TikTok was caught recording MAC addresses.. But wasn't Google and Facebook caught recording wifi locations and Bluetooth devices? None of these social media apps are safe people- their business model is data driven. They want your data! And don’t feel societal pressure to get a LinkedIn, they’re just as corrupt and don't care about your privacy.

I’m happy I no longer have social media
 
Comment

wolfshades

macrumors 6502
Nov 1, 2007
447
563
Toronto, Ontario Canada
The bug isn’t that they failed to delete the photos; that behavior is intentional. The bug is including the evidence in your data download.

Just read their own words “The researcher reported an issue where someone's deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram”

Exactly what I was thinking. So FB/Instagram thanked the guy NOT for pointing out that his photos were still on their servers but for showing the bug that supports evidence that it's still there. Privacy professionals should be all over this.

Or, I suppose, maybe this is our sign to get the hell out of Dodge and remove our accounts from Instagram, FB and anything else FB gets its ugly mitts on.
 
Comment

1144557

Cancelled
Sep 13, 2018
925
2,410
Yet we are all up in arms over TikTok when it is these American companies that keep getting caught doing scummy things.
Like tiktok looking at peoples clipboards until iOS 14 beta made it publicly known.

This/Facebook is scummy, but to be fair Tiktok was saving MAC Addresses for a 12-18 months. That is a FAR FAR bigger privacy issue than your old messages (with no hint of some data breach others got them). That is far far far more concerning than storing photos/messages that no one got to (at least no breach has been mentioned)

Just for fact accuracy purposes here.

Let's not pretend people didnt know Facebook and entities were already scummy but keep using their services sending private thoughts and photos around and shocked when your wishes arent honored. That is self-inflicted, storing your MAC Address is not (and also an app store violation on Apple and Google so no one has a reasonable expectation its happening)
 
Last edited:
Comment

MistrSynistr

macrumors 65816
May 15, 2014
1,455
1,604
These aren't bugs. All of these social media platforms exist as deep spyware tools to collect potential blackmail/incriminating things on you should you go against their "narrative". Their "lie" is the spying is for advertising purposes.

You're being had.
 
  • Like
Reactions: Basic75
Comment

zackkitzmiller

macrumors member
Jun 1, 2007
52
52
Recently TikTok was caught recording MAC addresses

You know MAC addresses are not only changeable but literally non-identifiable at all right? There is zero danger or issue with storing or using a MAC for anything. There are MAC collisions, and they're using by a hardware manufacture to identify hardware on a network to properly route traffic. It's not even like you could pipe traffic to one.
 
  • Like
Reactions: Lazy
Comment

1144557

Cancelled
Sep 13, 2018
925
2,410
You know MAC addresses are not only changeable but literally non-identifiable at all right? There is zero danger or issue with storing or using a MAC for anything. There are MAC collisions, and they're using by a hardware manufacture to identify hardware on a network to properly route traffic. It's not even like you could pipe traffic to one.

" The MAC address is useful to advertising-driven apps because it can’t be reset or altered, allowing app makers and third-party analytics firms to build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone. "

Maybe on PC, not on mobile (before iOS14 at least with private address). And 99.99% of people dont know what a MAC address is to begin with.
 
Comment

zackkitzmiller

macrumors member
Jun 1, 2007
52
52
" The MAC address is useful to advertising-driven apps because it can’t be reset or altered, allowing app makers and third-party analytics firms to build profiles of consumer behavior that persist through any privacy measure short of the owner getting a new phone. "

Maybe on PC, not on mobile (before iOS14 at least with private address). And 99.99% of people dont know what a MAC address is to begin with.

It's unfortunately that the article that most people read is incorrect. Because that's just literally not true. While you _may_ not be able to change the address that's burned on to the NIC (though usually, you can) you can absolutely change the MAC on any Linux device (android included).

`ip link set wlan0 XX:XX:XX:YY:YY:YY`(could be ifconfig vs. ip depending on your *nix). in a terminal will just set the MAC to whatever you desire (as long as it fits in the HEX character set). Additionally, the MAC received by a provider is often not the MAC that is set to your device but the MAC set at the switch level. It's common to see a misconfigured switch that is passing along its own MAC for routing.
 
Comment

1144557

Cancelled
Sep 13, 2018
925
2,410
It's unfortunately that the article that most people read is incorrect. Because that's just literally not true. While you _may_ not be able to change the address that's burned on to the NIC (though usually, you can) you can absolutely change the MAC on any Linux device (android included).

`ip link set wlan0 XX:XX:XX:YY:YY:YY`(could be ifconfig vs. ip depending on your *nix). in a terminal will just set the MAC to whatever you desire (as long as it fits in the HEX character set). Additionally, the MAC received by a provider is often not the MAC that is set to your device but the MAC set at the switch level. It's common to see a misconfigured switch that is passing along its own MAC for routing.

And again 99.9999% dont even know what a MAC address even is to begin with. You are talking coder level stuff not an average person, so still a moot point for the vast majority of the smartphone owning population.

If a fraction of a fraction of a fraction a percent the population could do that Id be extremely shocked.

It doesnt make the practices any less abusive to the mass population.
 
Comment

rp2011

macrumors 68000
Oct 12, 2010
1,803
1,887
Good o’l ”it’s a bug and we fixed it” excuse when you get caught. Oldie but a goodie.
 
  • Like
Reactions: dabotsonline
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.