Support » Plugin: Smash Balloon Social Photo Feed » Instagram Feed steal my password and added followeds automated

Instagram Feed steal my password and added followeds automated

  • Resolved misagues

    (@misagues)


    1 year, 9 months ago

    Instagram Feed steal my password and added followeds automated.

    In the websites where we have installed the plugin we have detected that there is an increase in the number of followed.

    The plugin opens a back door to bad bots to control the account, increasing the number of followed by hundreds each day.

    We change the password and it does not happen anymore. Perfect!

    We reconnect the account with Instagram Feed and again added followeds automated. OMG!

    The problem is in the Plugin that grants permission to external bad bots.

    Are you using the free version to the Plugin to offer followers in exchange for money?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author smashballoon

    (@smashballoon)

    1 year, 9 months ago

    Hi @misagues,

    That’s a pretty serious accusation. I can guarantee you that there is no malicious code in our plugin which does anything like what you’re describing. You don’t have to take my word for it though – the plugin is completely open source so you can check the source code yourself to verify that if you’d like. Due to the popularity of the plugin, it has been vetted not only by the WordPress Plugins team, but also by several security experts in order to find any security vulnerabilities. If you are experiencing issues with your Instagram account then it isn’t as a result of using this plugin.

    Kind regards,

    John

    Thread Starter misagues

    (@misagues)

    1 year, 9 months ago

    Sorry for the misunderstanding. My English is not very good. At no time did I want to accuse.
    My intention is to notify the problem and ask for help.

    Thread Starter misagues

    (@misagues)

    1 year, 9 months ago

    Before writing the problem here I have done tests on three websites with the installed plugin and its three corresponding Instagram accounts for a while.

    In the three Instagram accounts the only authorized application was “Smash Balloon WordPress Plugin App”.

    Everyday increasing the number of followed by hundreds.

    If we change the password (leaving the plugin without access), the followed ones no longer increase.

    If we reconnect the account with Instagram Feed, the followeds are automatically added again.

    Plugin Author smashballoon

    (@smashballoon)

    1 year, 9 months ago

    Hi @misagues,

    Are the Instagram profiles you’re seeing this on all under the same Instagram account? I’m wondering if it’s an issue with your account itself being compromised. Have you used any kind of follow-count increase services in the past or authorized any apps which do this kind of thing, or perhaps just another app from an unreputable source which may have compromised your account?

    We have many of our own profiles with the app authorized and haven’t seen this issue. The plugin also has 800,000 active users and we’ve never had anyone else report an issue like this before, so it seems like something else may be at play here. Our app doesn’t have the ability to increase follower counts or make any changes to your Instagram account. It only has read-only permission to read your Instagram profile information.

    Could you go to the following link and completely revoke access to the app: https://www.instagram.com/accounts/manage_access/. Then try authorizing it again via the plugin’s settings page. You could also try creating a brand new Instagram account which isn’t connected in any way to your current accounts and then using the plugin with that account to verify that the issue doesn’t occur.

    Many thanks,

    John

    mmeett

    (@vmettem)

    1 year, 9 months ago

    @smashballoon isn’t the access token supposed to be a secret?

    edit: and was never supposed to share with anyone?

    • This reply was modified 1 year, 9 months ago by mmeett.
    • This reply was modified 1 year, 9 months ago by mmeett.
    Thread Starter misagues

    (@misagues)

    1 year, 9 months ago

    Are the Instagram profiles you’re seeing this on all under the same Instagram account?

    NO

    I’m wondering if it’s an issue with your account itself being compromised. Have you used any kind of follow-count increase services in the past or authorized any apps which do this kind of thing, or perhaps just another app from an unreputable source which may have compromised your account?

    NO

    They are relatively new web pages and Instagram accounts, apart from the plugin, are only used for manual publications.

    The plugin also has 800,000 active users and we’ve never had anyone else report an issue like this before, so it seems like something else may be at play here.

    I know, I know the plugin. I am the translation editor of the Spanish team.
    But, the problem has recently appeared on all three websites and I am reporting this problem now.

    It only has read-only permission to read your Instagram profile information.

    Connect with the account API with the user’s permissions.

    Could you go to the following link and completely revoke access to the app: https://www.instagram.com/accounts/manage_access/. Then try authorizing it again via the plugin’s settings page.

    I will prove it.

    You could also try creating a brand new Instagram account which isn’t connected in any way to your current accounts and then using the plugin with that account to verify that the issue doesn’t occur.

    I checked it in a web in test environment with a test instagram account and in a week I already had about 1000 followeds.

    Thanks!

    Plugin Author smashballoon

    (@smashballoon)

    1 year, 9 months ago

    @misagues – could you contact us via our website so that we can troubleshoot this further for you and try testing the access token from one of your accounts to see if we can replicate the problem? Please link to this thread in the ticket so that we know that it’s related.

    @vmettem – The access token used is safe to be displayed on the client-side – it’s only the client “secret” which is sensitive, which we don’t use as we use Instagram’s Client-Side (Implicit) Authentication. The access token is only able to be used to read public data from a user’s Instagram feed, such as public photos, captions, and comments. Nonetheless, we’ve actually been working on a complete rebuild of the plugin for a while now which will make API calls in PHP rather than JavaScript, and as a result of that the access token will no longer be visible in the page source code.

    John

    mmeett

    (@vmettem)

    1 year, 9 months ago

    @smashballoon awesome! thanks for your work on the plugin.

    Thread Starter misagues

    (@misagues)

    1 year, 9 months ago

    could you contact us via our website so that we can troubleshoot this further for you and try testing the access token from one of your accounts to see if we can replicate the problem? Please link to this thread in the ticket so that we know that it’s related.

    I will try to replicate the problem again in a testing environment, so as not to compromise the data of my clients and I will contact you through their support.
    Thanks for the help.

    Nonetheless, we’ve actually been working on a complete rebuild of the plugin for a while now which will make API calls in PHP rather than JavaScript, and as a result of that the access token will no longer be visible in the page source code.

    Great, they are very good news!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Instagram Feed steal my password and added followeds automated’ is closed to new replies.

Views