Technical Analysis of "Deleted Data Stored Permanently on Instagram: Facebook Bug Bounty 2020"

Overview:
The provided write-up dissects a critical flaw in Facebook's handling of user data on Instagram, where deleted private messages, photos, and other content were retained indefinitely on Facebook's servers. This analysis highlights the discovery, technical processes involved, and the security implications of retaining ostensibly deleted user data.

Key Technical Details:

  1. Discovery Phase: The vulnerability was identified by a security researcher who initiated an extended investigation into the behavior of Instagram's 'Download Your Information' (DYI) feature. The researcher noted discrepancies where so-called deleted content was retrievable even after deletion.

  2. DYI Feature Analysis:

  3. Functionality: Instagram's DYI feature allows users to request all their account data. The feature is presumed to provide comprehensive and accurate data, including active and inactive (deleted) data.

  4. Observation: Upon requesting his data, the researcher observed that previously deleted content reappeared in the dataset provided by the DYI tool.

  5. Retained Content: The researcher identified that old, deleted direct messages (DMs), photos, and other media were present in the download. This contradicts the expectation that such content would be permanently removed from all Instagram servers within a specified period after deletion.

  6. Deleted DM Recovery: The downloaded information included private messages and photos that had been deleted over a year prior to the data request.

  7. Deleted Media Recovery: Similarly, photos and videos that had been deleted were also present in the DYI data dump.

  8. Discrepancy in Data Deletion Policies:

  9. Data Deletion Policies: According to Facebook and Instagram's official data retention policies, deleted data should be removed completely from servers within a fixed timeframe, typically 90 days.

  10. Compliance Issue: The presence of long-deleted data indicated non-compliance with these policies, pointing towards a systemic issue in data deletion processes.

  11. Responsible Disclosure: The researcher reported the finding to Facebook's bug bounty program:

  12. Response: Facebook acknowledged the issue and worked on a fix. The researcher was awarded a bounty for the valid and impactful report.

  13. Fix Implementation: Facebook assured that the bug was rectified and improvements made to ensure the deletion policies were correctly enacted.

  14. Technical Takeaways:

  15. Data Retention Verification: Platforms must implement rigorous verification mechanisms to confirm that deletion processes work as intended and data is irreversibly removed.
  16. Auditable Deletion Processes: Regular audits and providing transparent, auditable logs on data deletion processes can help in maintaining compliance and trust.

  17. User Rights and Data Management: This issue underscores the importance of adhering to data privacy guidelines and user rights regarding data management, especially under frameworks like GDPR.

  18. Security Implications:

  19. User Privacy: Retention of deleted data represents a significant privacy risk, potentially exposing sensitive information beyond intended retention periods.

  20. Legal and Compliance Risk: Non-compliance with publicly stated data deletion policies can attract regulatory scrutiny and legal challenges, especially in regions with stringent data protection laws.

  21. Recommendations for Developers and Security Teams:

  22. Enhanced Monitoring: Implement robust monitoring and logging of deletion requests to track their execution across distributed systems.
  23. Data Purging Protocols: Develop secure and verifiable data purging protocols that ensure data is completely removed from all storage layers, including backups.
  24. Regular Testing: Conduct regular pentesting focused on data retention mechanisms and verify the effective deletion of user data.

Conclusion:

This detailed analysis underlines the complexity and responsibility associated with data handling in large platforms like Instagram. The incident revealed substantial gaps in data deletion processes, demonstrating a critical lesson for data custodians about the importance of thorough and transparent data management practices to maintain user trust and regulatory compliance. Platforms must guarantee that user data deletion requests are honored not just in principle, but effectively in practice.

For full details, refer to the original write-up here.