Resources

Twitter retains direct messages for years, including messages you and others have deleted

Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient …

501

Instagram Wasn’t Removing Photos and Direct Messages From Its Servers

A security researcher was awarded a $6,000 bug bounty payout after he found Instagram retained photos and private direct messages on its servers long after he deleted them.

Independent security researcher Saugat Pokharel found that when he downloaded his data from Instagram, a feature it launched in 2018 to comply with new European data rules, his downloaded data contained photos and private messages with other users that he had previously deleted. It’s not uncommon for companies to store freshly deleted data for a time until it can be properly scrubbed from its networks, systems and caches. Instagram said it takes about 90 days for deleted data to be fully removed from its systems. But Pokharel found that his ostensibly deleted data from more than a year ago was still stored on Instagram’s servers, and could be downloaded using the company’s data download tool. Pokharel reported the bug in October 2019 through Instagram’s bug bounty program. The bug was fixed earlier this month, he said.

620