6tag leaks your account data, stores your private videos

6tag_header.png

Windows Phone developer Rudy Huyn released his unofficial Instagram clone app called 6tag today. And while I would love to take this moment to clear up misconceptions about how the app works and Huyn's involvement (or lack thereof) with Instagram, I must defer to another day. That's because I must, instead, share some important privacy concerns uncovered by Windows Phone developer Travis La Marr this morning.

6tag sends account data in the clear

To support video uploads, 6tag emulates the way Instagram's official apps work. That is, video is uploaded from the device to intermediate servers for transcoding into a compatible format and size, one step before Instagram. But where 6tag differs is that it sends your private account data -- for example, your username and authentication tokens -- in the clear, along with your video, to a black box server in France (presumably under the author's control) in preparation for a future app update. That means, in theory, a determined individual at a Starbucks armed with a sniffer could take over your Instagram account easy peasy.

Update 2 8/22 @ 4:22am PST:  Rudy, via Twitter, has indicated cookies will now be encrypted with a "512-bit key" in a future update.

But wait, there's more... 

6tag servers keep a copy of your public and private videos, for an unspecified amount of time

6tag's transcoding servers understandably keep uploaded video around for a little bit, giving the phone app time to grab a copy. What's concerning, however, is that uploaded video never seems to get deleted. For example, here's a permalink to a video I published on Instagram hours ago. And here's a video Travis published over a week ago. Yikes.

Update 1 8/22 @ 3:46am PST: Rudy, via Twitter, has confirmed that his server does not remove videos after publishing to Instagram, instead relying on an undocumented 48 hour retention policy. When asked about Travis' week old video, he noted that video was uploaded via the beta, implying they're special, and that beta videos will be wiped "in less than 48h". Travis' video went dark soon after.

6tag doesn't have a privacy policy

Against Windows Phone App Certification Policy 2.8, 6tag does not come bundled with a privacy policy, or at least one I could find. This means users have no clue what data is sent to Instagram or black box servers in France, nor an understanding of how private user data is handled, protected, or destroyed. How this got through Windows Phone Store testing is beyond me.

 Update 3 8/23 @ 3:40pm PST:  A new privacy policy is up.

Call to action: Upgrade to 1.0.1.0

 

This is a "FAST PUBLISH" article. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time. 

Full disclosure: I was compensated as part of an Instagram API reverse engineering effort for the developer of Instance, a competing app in the Windows Phone Store. This was a one time deal. I do not receive compensation based on the success or failure of Instance, nor care about Instagram in general.