InstaAlert caught stealing Instagram passwords

If you have recently downloaded and used an app called, InstaAlert, you will want to change your Instagram password before you read the next sentence.

Seriously go do it now.

The app was previously available to both iOS and Android users, but has since been pulled from their respective app stores.

David Layer-Reiss, a Peppersoft developer, was the first to recognize this exploit and shared it with the public via his Twitter account.

"Who Viewed Your Profile" #Instaagent will send your Instagram Username and Password to an unknown server! pic.twitter.com/8uZJljJdtO

— David L-R (@PeppersoftDev) November 10, 2015

InstaAlert, better known as “Who Viewed Your Profile – InstaAgent”, would collect Instagram usernames and passwords and then forward them to a remote server completely unencrypted.  That is a big no-no.

It has been determined that the stolen information was uploaded to the website instagram.zunamedia.com.  You should refrain from navigating to this site because it has been marked as “a suspected phishing site” according to CNET.

I decided to see for myself on McAfee’s SiteAdvisor.

The app even charged users $10 to find out who their top 100 followers were on Instagram.  It was clearly a scam to take advantage of people who worry about their online presence.

I’m going to assume that the prime targets for this invasion were middle school and high school students, unfortunately.  They might not know better about researching the safety of an app.  They are at a time in their lives where social status means everything to them and it needs to be documented on social media.  They also don’t have credit cards (good gosh I hope not) and could potentially charge the $10 to their parents.

It is speculated that InstaAlert affected 1 million Instagram users; roughly 500,000 on each operating system.

David Layer-Reiss recommends that if you were a user of this app, you will want to not only change your password for Instagram, but for all other website logins that also used that password.  You can never be too careful!

Here’s some advice from myself.  Make sure you are being careful online and in apps that require you to connect/login with your social media accounts.  You may be giving them a ton of access to very personal information that you will later regret.

When in doubt, do a five to ten minute Google search and verify that the service you are planning to use is safe.  If you ever are unsure about the safety or authenticity of a service, please do not hesitate to ask me or other online sources for help.

Stay safe in the Wild Wild Web!

Via: CNET

Source: theguardian

By the way, I’m not sure if my photoshopping skills are getting better or worse…