Apple today has pulled a popular Instagram client from the App Store after it was found to be harvesting usernames and passwords. First noticed by developer David L-R on Twitter, the Instagram client InstaAgent has been pulled from the App Store. The app, downloaded more than half a million times, touted that it would let you see who had been viewing your Instagram profile.
David L-R notes in his tweets that InstaAgent was sending account information, including usernames and passwords, unencrypted to a remote server that was not connected to Instagram officially in any way, shape, or form. In extreme cases, InstaAgent was using that login information to post photos to users’ accounts without their consent.
The app seemingly had passed Apple’s review process without raising an eyebrow and was never questioned until today, thanks in large part to its wild success in terms of downloads. Instagram, of course, has always encouraged users not to download or share information with third-party apps. In addition to being removed from the App Store, InstaAgent was also today removed from the Google Play Store, where it had also amassed around 500k downloads.
Today’s revelation comes two months after hundreds of apps were infected by fake Xcode tools. The apps had been developed using counterfeit versions of Xcode, dubbed XcodeGhost, that injected malicious code into apps without developer knowledge during the submission process.
Apple has yet to officially comment on the removal of InstaAgent, but it’s likely we won’t ever see it back on the App Store. At least, any time soon.