Don’t trust instaunf/instaunfapp with your Instagram password

UPDATE July 2017: the suspect site I talk about here, has changed their domain name since my post about them and is now instaunfapp.com . And they have implemented https (secure connection). The fact still remains that they ask for your clear-text Instagram password, and Instagram doesn’t permit that. (Never give your password to someone you don’t know and trust).

When you search for “instagram unfollow”, one of the top results in Google is ‘instaunf.com‘ (not linked on purpose). The website looks legit: a homepage that says “Check who unfollowed you, who doesn’t follow you back and more.
It’s free, it’s easy to use, it’s quick.” with the familiar button “Sign in with Instagram”.

The fishy part comes when you click that button. You get a minimal page that tries really hard to look like a instagram.com login page. It asks for your Instagram username and password over an unencrypted link. This is very suspect.

Instagram uses OAuth2.0 which means: if you are already logged in to Instagram, you just need to push a button ‘Allow xyz.com access to your account’, or if you’re not logged in yet, you log in on the instagram.com website, over a secure https link. An external party should never get your password.

So my guess is: this web site is used for phishing: harvesting other people’s Instagram username & passwords, in the hope of a) hijacking the account for a ransom, b) hijacking the account to use for promoting another IG account, c) downloading photos from (private) Instagram accounts, d) …

Who is behind the website?

The domain name was registered by someone from Yalova, Turkey in March 2015. The first website on the domain appears one year later, but it is completely in Turkish. In August 2016, it changes into the modern-looking, English spoken website it is now.

💬 security 🏷 authentication 🏷 harvesting 🏷 https 🏷 instagram 🏷 login 🏷 oauth 🏷 phishing 🏷 security 🏷 turkey 🏷 unfollow 🏷 warning