So this write up is about the bug in Instagram data download feature. So this features allows you to download your personal data including messages, photos, followers, comments and many other things for future backup. But what if the deleted content was also present in the data backup? That’s exactly what happened to me.

If a person deletes a message or any kind of photo, it takes upto 90 days to completely delete that item from data backup. I uploaded a photo during the Covid-19 pandemic period. Due to some reasons I instantly deleted that photo. Nearly after two years, I was checking the backup file which I had requested from my account, I saw that the photo which I deleted instantly that time was present there. The same photo was present in three different folders with different id names.

This was against the Facebook policy which says that photo might take up to 90 days to get completely removed. But in my case it was already around 2 years. So I made a detailed report to Facebook Security Team about the issue. The team verified that the photo was deleted and was also present in data backup.

After nearly six months of conversation with the security team, they fixed the issue and paid me a bounty of $550.

Also I got my name in the “Hall of Fame 2021” (https://m.facebook.com/whitehat/thanks). You can also connect with me on LinkedIn & Twitter.

Report Timeline

Reported: May 25, 2021

Reviewed and asked for more information: May 26, 2021

Bounty Awarded: September 15, 2021

Bounty Amount: $500+$50(Delay bonus)