Here’s another good example of why you should never trust your credentials with anyone other than the services you use them with. It’s recently been discovered that a third-party Instagram app — InstaAgent — which promised to tell you who viewed your profile has actually been storing the usernames and passwords of people who use it in an unencrypted plain text file.
The finding was made by iOS developer David L-R, who noticed the unfortunate happenings in his perusal of its codebase. The news doesn’t stop there: David found that the app also ships those credentials off to an unknown server, which means someone is harvesting usernames and passwords for some unforeseen reason. The reason isn’t important, though — it’s the action we’re worried about.
Google and Apple both pulled the app from their respective app marketplaces following the discovery. The app was among the most popular downloads in their categories on each store, which goes to show that even popular legit-looking apps could be just as dangerous as the shady malware you might accidentally install from a third-party marketplace.
Used the app in the past yourself? The best thing you can do right now is change your Instagram password. After that, preventative measure should be the treatment going forward: stop trusting your passwords with third-party apps. If the app doesn’t authenticate your account through that service’s built-in authentication method, then it’s not a good idea. Period. There could be many more apps hiding in plain sight which steal your password, so it’s always best to play it safe and make sure you do everything possible to shield yourself.
Comments