Windows Phone developer Rudy Huyn released his unofficial Instagram clone app called 6tag today. And while I would love to take this moment to clear up misconceptions about how the app works and Huyn's involvement (or lack thereof) with Instagram, I must defer to another day. That's because I must, instead, share some important privacy concerns uncovered by Windows Phone developer Travis La Marr this morning.
6tag sends account data in the clear
To support video uploads, 6tag emulates the way Instagram's official apps work. That is, video is uploaded from the device to intermediate servers for transcoding into a compatible format and size, one step before Instagram. But where 6tag differs is that it sends your private account data -- for example, your username and authentication tokens -- in the clear, along with your video, to a black box server in France (presumably under the author's control) in preparation for a future app update. That means, in theory, a determined individual at a Starbucks armed with a sniffer could take over your Instagram account easy peasy.
Update 2 8/22 @ 4:22am PST: Rudy, via Twitter, has indicated cookies will now be encrypted with a "512-bit key" in a future update.
But wait, there's more...
6tag servers keep a copy of your public and private videos, for an unspecified amount of time
6tag's transcoding servers understandably keep uploaded video around for a little bit, giving the phone app time to grab a copy. What's concerning, however, is that uploaded video never seems to get deleted. For example, here's a permalink to a video I published on Instagram hours ago. And here's a video Travis published over a week ago. Yikes.
Update 1 8/22 @ 3:46am PST: Rudy, via Twitter, has confirmed that his server does not remove videos after publishing to Instagram, instead relying on an undocumented 48 hour retention policy. When asked about Travis' week old video, he noted that video was uploaded via the beta, implying they're special, and that beta videos will be wiped "in less than 48h". Travis' video went dark soon after.
Call to action: Upgrade to 220.127.116.11
This is a "FAST PUBLISH" article. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time.
Full disclosure: I was compensated as part of an Instagram API reverse engineering effort for the developer of Instance, a competing app in the Windows Phone Store. This was a one time deal. I do not receive compensation based on the success or failure of Instance, nor care about Instagram in general.