InstaAgent app harvested Instagram usernames and passwords

[Ink]

Content source

http://www.bbc.co.uk/news/34787402

A popular app has been pulled from Apple and Google's stores after being accused of stealing users' passwords.

On Tuesday, another developer posted evidence that it was copying people's Instagram usernames and passwords and sending them to an unknown server. He said these were used to post spam to people's Instagram accounts.

Apple and Google both declined to comment.

The BBC obtained contact details for the app's creator, who registered the product under the name Turker Bayram. However, the person who answered the Turkish phone number said he had poor English, did not reply to questions and walked away from the call.

Instagram told the BBC: "These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."​

Are you affected?

• Instagram Password Reset - How do I change my password? | Instagram Help Center
• Uninstall Apps from iOS (iPhone/iPad) - Four ways to delete iOS apps
• Uninstall Apps from Android - Remove downloaded apps - Google Play Help

 

[KokoKid]

I do use trusted unoffical third-party programs, such as Free Video to MP3 Converter, ClipGrab, etc. Those are trusted programs. If I ever come across a third-party program I need then I'll run a quick google search on it and decide myself if it's safe or not.

 

[JakeXPMan]

I'm same as above post... I use Qualys Browser Check. which is a safe to use plug in, works like Secunia, shows you if something needs updating, includes your Windows update, AV etc.

Qualys BrowserCheck

 

[SillyBilly299]

Apple has removed the "Who Viewed Your Profile - InstaAgent" app from the App Store after a software developer found out that the app in question was secretly stealing Instagram credentials from its users.

David L-R of PeppersoftDev came across some serious privacy issues when analyzing the source code of InstaAgent, one of the App Store's most popular free apps, with over 500,000 downloads. The app allowed users to examine their Instagram profile and see the top users that viewed their profile.

Looking at the app's behavior, David found that InstaAgent was harvesting Instagram user credentials and sending the information to the instagram.zunamedia.com server.

This data was not even protected, being sent in unencrypted, meaning that anyone knowing what to look for could have easily intercepted transmissions and gain access to thousands of Instagram usernames and passwords in cleartext (see tweet below).

InstaAgent also had an Android version
Some users later came out and said that the app also posted messages on their behalf. The app did not require permissions from the Instagram API, so this means it was probably using the stolen usernames and passwords to do this.

Apple removed InstaAgent from the App Store when told of the issues. Google also pulled InstaAgent's Android version from the Play Store. It is yet unconfirmed if the Android version also contained the spying functionality in its code.

This is not the first case of malicious apps found in the App Store. In the past two months, we had the XGhostCode disaster when an infected version of Xcode was used to automatically compile clean apps with malware, and the case of various apps that infringed on user privacy or contained malicious SDKs inside their code.

 

[hjlbx]

Widely accepted apps with malicious code. Been around for a while, but not well known. This is just the beginning and a whole different challenge for IT security.

 

[Ink]

I use Qualys Browser Check. which is a safe to use plug in, works like Secunia, shows you if something needs updating, includes your Windows update, AV etc.

How does that work with Apps downloaded from the Apple App Store / Google Play Store? I think you're getting confused between browser plug-ins and mobile apps.

 

[JakeXPMan]

How does that work with Apps downloaded from the Apple App Store / Google Play Store? I think you're getting confused between browser plug-ins and mobile apps.

Maybe its a plug in for Firefox only ? I haven't used it yet on a Chrome browser.

 

[Ink]

Maybe its a plug in for Firefox only ? I haven't used it yet on a Chrome browser.

Don't you check the article, InstaAgent is a mobile app for iOS and Android. Why are you talking about BrowserChecks for Desktop Web Browsers?

 

[frogboy]

Maybe its a plug in for Firefox only ? I haven't used it yet on a Chrome browser.

It appears to work with Cyberfox also.

 

[JakeXPMan]

Don't you check the article, InstaAgent is a mobile app for iOS and Android. Why are you talking about BrowserChecks for Desktop Web Browsers?

I replied to the poll Question, not the article. That is the reason.

Do you use unofficial third-party apps?
This poll will close on Nov 25, 2015 at 10:44 AM.