Meet Saugat Pokhrel : Independent Security Researcher who got $6000 from Instagram as a bounty

 Saugat Pokahrel is a normal security researcher and bug hunter. And as we've listened the phrase ' Lady Luck favors those who try', Saugat is a prime example of how success is inevitable if you keep working.

Saugat Pokharel - an independent Security Researcher.

 

Saugat found that even after deleting photos and videos from Instagram they were still stored in the Instagram server. This is a serious privacy issue because once the user deletes any information with the proper authorization, it should never be available. So, Saugat decided to mail the Instagram security team and BOOM with two hours he was awarded $6000 bounty. Is the story that simple? No. Let's deep dive into detail of how he discovered the bug and was awarded a respectable amount for the problems.

One causal day,  Saugat was just trying to backup and save his photos from Instagram as he thought they may be helpful in the future. Data on the Instagram reveals all your information  like Login Details, likes and comments, followers details, conversations, search history and so on and so forth.

After  downloading the zipped file, he noticed something that rose suspicion in his mind. He saw photos he deleted back in 2013 still appearing on the downloaded file. Some companies keep the record of the files for around 3-6 months or even a year but 6 years, that's a pretty long time. So, he decided to report this issue to Facebook.

 

Here's the message he sent to the Facebook team:

However here is the message Facebook team replied to him:

Hi Saugat,

Thank you for your report. We are unsure at this time that this is a privacy or security issue; as such, it might not qualify as a part of the bounty program. Could you please clarify how this bug is able to compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook’s infrastructure?

Thanks,

Ed Kurson
Security

This was not the message Saugat was expecting because he clearly knew that the bug has deep issues and it should be fixed. So, he was thinking to follow up them with another email clarifying the issue. However, to his surprise, he got email from Instagram the next day.

Hi Saugat,

I’m Megan from the Security team. I wanted to apologize for the confusion and let you know that we are taking another look at your report.

I will keep you updated on our progress.

Thanks,

Megan
Security

So, he was followed by series of questionnaires to clarify how he got the bug and his affected id/username. They asked him about the last backup he made and also told him to request another backup to see if the problem still persists. 

The problem of deleted data was still persistent so they asked him more about the subject and also asked him to send them the screenshot of the backup. So, Saugat replied them with much possible details.

His report was then further forwarded to Instagram security and Privacy team. After that he checked on multiple Instagram accounts and the problem was still taking.

Since, the issue was forwarded to the appropriate team, the problem fix was being deployed. He continuously messaged them to inform him about the process but to his surprise he did not get any reply. He messaged them again and again but there was no reply from the Instagram team for around 3 months.

After three long months, Instagram team replied that their team were working on the complete fix and the updates on the issues will be provided soon.

Finally on February 7,2020 he got another reply from the Facebook team and their reply took him by a surprise. They decided to reward him for the bug he found. Instagram team decided to award Saugat Pokhrel $6,000 for the bug he found and around July 7, 2020, he got the confirmation that the  bug was now finally fixed.

As spokesperson for Instagram reported TechCrunch "The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us."

Twitter faced a similar issue a year later where user was able to access their deleted messages - including messages sent to and received from deactivated accounts.

This article was compiled from different sources and Saugat Neupane's writeup on his bug-bounty on Medium. If you want to show support, please visit his article and give him a like (👍)