New Instagram API Will Stop Malicious 3rd-Party Apps

Last year it was found out that the malicious app InstaAgent was stealing Instagram passwords from users (and using Instagram’s own tech!), Instagram changed its rules for getting access to aforementioned API, effectively stopping a large number of WordPress Instagram Plugins from working.

Last November,  Instagram stated that it will no longer permit plugins access to the old Instagram feed API, as its old API was being completely shut down. In the future, 3rd-party apps will have way more limited capabilities.

Who can access the New Instagram API now?

So they have throttled down who and what can access the new API, and they updated their Platform Policy to explicitly list the use cases supported in future. These include apps and services that:

  • Help individuals share their own content with 3rd party apps, such as apps that let you print your photos and import an Instagram photo as a profile picture.
  • Help brands and advertisers understand and manage their audience, develop their content strategy, and get digital rights to media. Established apps in this space may apply for our newly announced Instagram Partner Program.
  • Help broadcasters and publishers discover content, get digital rights to media, and share media using web embeds.

New review process

Starting November 2015, Instagram began instituting a new review process and preventing new apps from using its APIs until it starts conducting reviews on December 3. Existing apps have until June 1, 2016 to comply with Instagram’s new platform rules, and the users/self/feed and media/popular API endpoints will be available until the end of the review period. Instagram is also launching a new Sandbox Mode to allow developers to privately build and test apps using Instagram’s APIs.

Instagram’s new policy will put an end to dozens of questionable third-party Instagram apps that promised users new followers and the ability to track follows and unfollows. Apps are no longer able to use “like,” “share,” “comment,” or “follower” exchange programs nor can they use follower information for “anything other than analytics” without Instagram’s permission.

Unfortunately, as no apps will be able to access the full Instagram feed, it will also have an impact on legitimate Instagram clients for the iPad and the Mac, where Instagram is not natively available. As TechCrunch points out, this will affect apps like Retro, Flow, Padgram, Webstagram, Instagreat, and more.

With today’s changes, Instagram says it plans to institute a “more sustainable environment built around authentic experiences on the platform” and give users more control over their content.

New Instagram API
New Instagram API

So What?

As of 1st June 2016, the old API was pulled completely.

Immediately The Army of the Flying Monkeys had a pile of work updating allclients Instagram info, and advising them to shift their passwords in case. Then we have to get into all the sites with Instagram feeds or widgets etc and update them all.

So, have a good look at any Instagram widgets/code on your WordPress websites and check they all use the new API”

That’s what you do RIGHT NOW!

Not all plugins are created equal

In some cases we have completely removed and replaced some plugins with new ones that have been updated after the shift on June 1st. FYI the two we currently have working 100% and secure are:

InstaShow – WordPress Instagram Feed for Website

Instagram Feed – WordPress

Enjoy Plugin for Instagram

Instagram on your website with shortcodes and widgets! Images of Instagram profiles and hashtags on posts, pages, sidebars with Carousel and Grid view

So what was this InstaAgent, and what did it actually do?

InstaAgent, an app that connected to Instagram and promised to track the people that have visited a user’s Instagram account, was storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.

An app developer from Peppersoft downloaded InstaAgent — full name “Who Viewed Your Profile – InstaAgent” — and discovered it’s reading Instagram account usernames and passwords, sending them via clear text to a remote server – instagram.zunamedia.com.

InstaAgent was also using the credentials to log into accounts and post unauthorized images. Instagram does not permit third-party apps to upload photos to user accounts.

While InstaAgent wasn’t particularly popular in the US, it was the number one free app in both the UK and Canada, with thousands of downloads that puts a huge number of Instagram users at risk of having their information stolen. In the Google Play store, the app had between 100k and 500k users, and the install numbers could be similar for iOS.

Google has removed InstaAgent

Google has removed the InstaAgent Android app from the Google Play store, but InstaAgent is still available in the iOS App Store for the time being.

Anyone who has downloaded InstaAgent should delete the app immediately and change their Instagram password.

Change your Passwords

Passwords for other sites and accounts that were the same as the Instagram password should also be changed as a precaution.

We seriously recommend a password management app like LastPass, which can generate unique complex passwords for each and every site or service. Instagram also advises against installing third-party apps that don’t follow its Community Guidelines.

There are hundreds of 3rd-party apps that promise to provide Instagram users with followers and other perks, and these kind of apps should be avoided. According to Instagram, these apps are “likely an attempt to use your account in an inappropriate way” as InstaAgent does.

Shopping Cart
Scroll to Top