InstaAgent app steals usernames and passwords from Instagram users
An app that enables iPhone users to keep an eye on who has been looking at their Instagram account has been pulled from the App Store after it was found to be stealing usernames and passwords.
Apple took the decision to kill "Who Viewed Your Profile -- InstaAgent" when the app was found scraping login details and sending them back to the developer's server. This in itself is worrying for users, but it gets worse: the usernames and passwords were sent in unencrypted format.
The app was reasonably popular, managing to attract around half a million users. Delving into InstaAgent's code revealed that the app was really little more than password-harvesting malware. The incident will once again call into question the vetting process that apps go through before hitting the App Store.
The password-stealing was first spotted by Peppersoft developer David Layer-Reiss who tweeted about his findings:
"Who Viewed Your Profile" #Instaagent will send your Instagram Username and Password to an unknown server! pic.twitter.com/8uZJljJdtO
— David L-R (@PeppersoftDev) November 10, 2015
With Apple having stripped InstaAgent from the App Store, it will no longer be possible for anyone to download it. If you already have it installed, however, the advice would be to uninstall it, and change your Instagram password immediately.
Photo credit: Yeamake / Shutterstock