InstaAgent, a third-party app for users to track visitors to their Instagram feeds, was pulled out of app stores by both Apple and Google after an iOS developer discovered the app was stealing people’s logins and passwords.
If you have InstaAgent on your smartphone – and reportedly half a million of you do – delete it immediately.
A developer for Peppersoft, David Layer-Reiss , said he discovered InstaAgent was storing Instagram users’ passwords and usernames and sending them in plain text to another server. He also said the app was using the credentials to “log into accounts and post unauthorized images.” He sent out a warning via Twitter.
“To sum, the behavior of InstaAgent is very very strange, you should not use the app,” Layer-Reiss wrote in his report. “Theoretically, the app developer now has access (and the credential) to over half a million Instagram accounts.”
The creator of the app, Turker Bayram, apologized after the app was banned but denied saving login information.
“Please be relax,” Bayram said in an unsigned statement of broken English posted here. “Nobody account is . . . stolen. Your password never saved (to) unauthorized servers. There is nothing wrong. But again and again, we apologize (to) our precious users.”
InstAgent is not widely popular in the United States, however, it was the number one free app earlier this week in England Canada with thousands of downloads, MacRumors reported.
Layer-Reis’s became curious about how the app could provide this kind of information and after monitoring traffic on the app, found a “suspect” HTTP post to an “unknown” server.
Using the app with his own Instagram account, he discovered an image advertising for InstaAgent was published to his account without permission.
Source: Photo District News