A third-party Instagram app named InstaAgent has been found to 'harvest' user names and passwords of users and send them to an unknown server. Apple and Google removed the app soon after iOS developer David L-R reported the issue on Twitter.
In his tweet David said, "I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS App Store that is downloaded half a million times." According to the developer, the app which comes with full name "Who Viewed Your Profile - InstaAgent" was available to download both via Google Play and App Store, and was able to send user credentials to a remote server via clear text.
The developer also found that the third-party client was posting images without user permission on Instagram profiles. "Surprise, surprise, #InstaAgent is also posting images without your permission in your #Instagram profile," said David in another tweet.
Notably, Instagram's Support Page clearly notifies users not to use any app that leaves comments or shares things that haven't been posted by the user. The company notes, "Never grant third-party access to a website or apps that aren't following our Community Guidelines or Terms of Use (including websites selling or promising free followers or likes), as it's likely an attempt to use your account in an inappropriate way."
MacRumors pointed that before David discovered the 'harvesting' of user names and passwords by InstaAgent, the app was rated as number 1 free app in both Canada and the United Kingdom in the App Store.
In the meanwhile, Instagram has asked users that installed InstaAgent app to change their password. In a statement to BBC, it said, "These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."
Users who use their Instagram password for other sites as well will of course need to make more than one password change.
