Windows Phone Instagram client 6tag may leak your data

Version 1.0 of 6tag was released yesterday.

It was a refreshing sight to see an API compliant Instagram client being released on Windows Phone, as the Facebook owned company have continued to neglect users of the platform, however 6tag may not be as safe as it first appears. In the current version of the application, private data is sent to a server entirely unaffiliated with Instagram, which may give scammers on public wi-fi networks the chance to compromise your account.

The issues, reported by Within Windows, are accompanied by a complete lack of a privacy policy. This is against the Windows Phone App Certification Policy 2.8, and means that users have no guarantee that their data is secure. Most customers may have no idea, for example, that their videos are being held on 6tag's servers for up to 48 hours after publishing them, as this was not made clear by the developer in any documentation.

Luckily, developer Rudy Huyn has responded to these concerns and promised some changes in future updates. Cookies will be sent encrypted, for example. Nevertheless, with no privacy policy, we can't trust that there aren't more serious issues and vulnerabilities, so for the time being, it is strongly recommended that you avoid using the app, at least until an update is released.

At least this is another excuse to bug Instagram about building an official client.

Source: Within Windows | Image: Within Windows

Report a problem with article
Previous Story

Apple iCloud experiencing hiccups

Next Story

Microsoft's former Windows head now working with founder of Netscape

26 Comments

Commenting is disabled on this article.

Just a slight update to this story. The developer behind this app has issued an update that address all the concerns that were brought up. I hope Neowin and other sites follow up and point out that the issues have been taken care of in a fairly quick fashion.

While I'm sure that what the article says is technically possible, it'd be silly to ignore Rafael's bias here too. If you follow him on Twitter, it's clear he dislikes the developer of 6tag. He also helped out the developer of competing app Instance when that dev was having trouble with Instagram's security measures.

stevan said,

Not even close but nice try...

You are correct, outside of Halo, Microsoft is far more consumer conscious than Google, Apple, and Facebook that only serve their own interests...

Microsoft provides clients Apps for all platforms.

Mobius Enigma said,

You are correct, outside of Halo, Microsoft is far more consumer conscious than Google, Apple, and Facebook that only serve their own interests...

Microsoft provides clients Apps for all platforms.

Every company serves their own interests (profits). So the lack of Instagram app for WP isn't about company being less consumer conscious.

Nevertheless, with no privacy policy, we can't trust that there aren't more serious issues and vulnerabilities, so for the time being, it is strongly recommended that you avoid using the app, at least until an update is released.

Yeah, because a Privacy Policy automatically mitigates "serious issues and vulnerabilities". Wtf? Exploits can be discovered in any and every app.

With a privacy policy, you know what you're getting into, and you know the developer's intentions. He may be making you vulnerable, and you don't know about it.

In regard to bugs, yes, of course a privacy policy wouldn't help that.

Really?? Half the android apps in the play store you don't know what you are getting into.. Face it the app looks a ton better than the iphone and android official apps no need to try to bash it so people won't install it..

If my picture or video is so sensitive, i don't think i will be uploading it on instagram. I honestly don't care considering my videos or pictures will be made public once its uploaded on instagram, it can sit for as long as it wants on the private servers, i really can't be bothered. I really liked the app and bought it.

What i really care about is my account password/tokens leaking which the developer has said that it will be encrypted.

We gotta accept that third party apps, how so good they may be, they can't replace official app. there are always some quirks with them.

ilovetech said,
We gotta accept that third party apps, how so good they may be, they can't replace official app. there are always some quirks with them.

I agree with you but with Government agencies snooping left and right, i think we already agreed to bid our privacy goodbye.

but this information "that might be stored on a server for 48 hours" is being uploaded to the public for anyone to see anyways,where anyone can download it if they wanted to.

vcfan said,
but this information "that might be stored on a server for 48 hours" is being uploaded to the public for anyone to see anyways,where anyone can download it if they wanted to.

Are you aware you can have a private instagram account?

Not an app developer, but if this is the first API compliant Instagram app then how could other apps like Instance work?

Apps like Instance do you use the API, but do not however follow all the guidelines that comes along with it. The problems is that Instagram servers expect you to follow the guidelines and if you don't there can be unintended consequences, e.g. your account being temporarily banned.

That's because the users were finding it to be a great app. This doesn't change the fact that its a good app for instagram. What changed is that a vulnerability was discovered and now an update is needed.

Not sure why that's hard to follow.