Instagram will pay security researchers to track down rogue app developers that scrape and misuse user data

Instagram boss Adam Mosseri. Reuters
  • Instagram will pay security researchers to track down rogue developers misusing its users’ data.
  • The Facebook-owned photo-sharing app has announced a Data Abuse Bounty program.
  • It comes after Business Insider discovered a startup was harvesting millions of users’ data and tracking their locations.
  • Visit Business Insider’s homepage for more stories.

Instagram is inviting outside security researchers to help it track down malicious developers who misuse user data.

On Monday, the Facebook-owned photo-sharing app announced it is launching a Data Abuse Bounty program, through which outside experts can earn cash “bounties” by tracking down cases where users’ data is being misappropriated or abused.

The announcement a little under two weeks after Business Insider discovered that marketing startup Hyp3r was illicitly harvesting millions of Instagram users’ data, tracking their locations, and saving their Stories. Instagram had failed to notice Hyp3r’s actions, which took advantage of a security vulnerability, and even made Hyp3r a “Facebook Marketing Partner.”

Security bounty programs are increasingly common across the tech industry, with companies inviting security researchers to probe their systems for bugs, vulnerabilities, and security flaws that their own in-house security teams might have missed – with potential bounties sometimes reaching $US1 million for the most serious issues.

Facebook launched a Data Abuse Bounty program for its core social network in April 2018, and is now expanding it to Instagram too.

“Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action,” Instagram security engineering manager Dan Gurfinkel wrote in a blog post. “Just like our bug bounty program, we will reward reports based on impact and quality.”

Instagram has also been quietly warning its other marketing partners not to misuse user data in the aftermath of the Hyp3r revelations, and has sent a cease and desist notice to at least one developer who built a location-tracking app in order to highlight data issues on Instagram.

Instagram has also invited a select group of researchers to “stress test” Checkout on Instagram, a new feature for the the app that lets users make purchases, and is currently only available to a small group of users in a private beta. “As part of their participation, the researchers will receive early access to the feature and receive bounty awards for eligible reports. The researchers who are helping us test this feature have previously submitted high-quality research to our bug bounty program,” Gurfinkel wrote.

Do you work at Instagram? Got a tip?Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at [email protected], Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.)

Read more: