Not safe AT all – token compromised

  • I respawned my old WordPress account just to write this review !
    My Instagram account has been compromised due to the token shared in the app.

    Don’t tell me it’s co?ncidence, as you Said to the Guy in the other topic with the same title, because my Instagram account was brand New, never used the account on any app or phone… And now 1 day After installing this plugin (from the official wordpress store), i am following 523 accounts !

    You should seriously inspect your code (and if alright, check all the employees having access to your database because for sure someone is using the Access token to add hundreds of random accounts.

Viewing 1 replies (of 1 total)
  • Plugin Support Smash Balloon Joel

    (@joelsmashballoon)

    Hey @kanak09,

    Thank you for reaching out to us for assistance. I am sorry to hear about the issues you are experiencing with your Instagram account. I can understand why you believe there may be a connection here. However, I will affirm that this is a coincidence. We do not ask for any permission that would allow us to control who your account follows.

    Find below all the necessary information to confirm that this is not the case – even in the ‘loss’ of an Access Token, there is very limited access to ‘Do’ anything to your account – and certainly, nothing when it comes to accessing it. All login information entered is handled only on Instagram or Facebook and as such we never get access to your login information. The Access Token is only stored on your website, in an encrypted fashion. This is never automatically sent to us, even if you have given us permission to receive user data we never receive this and only ask for it (and must be sent by you as the user) in support tickets where necessary.

    There is no way that our app would be involved in the direct access to your account by a third party, they would not be able to get access to your password or change this. A password change would also completely invalidate the Access Token should any third party have received this in any way and when setting the plugin up again, you will get a new Access Token.

    At most, here is a link to the documentation for each permission that we use with our plugin (Business Profile Connection):

    pages_show_list > Only allows to show a list of pages you manage

    Instagram related Permissions
    instagram_basic -> Can only get data
    instagram_manage_comments -> while we don’t, technically this could be used to post or remove comments (unrelated to your issue)
    instagram_manage_insights -> Can only get data, used to display stories and the follower numbers

    Facebook related Permissions
    pages_read_engagement -> Can only get data
    pages_manage_metadata -> Used only to get data, unrelated to followers
    pages_read_user_content -> again while we don’t, can be used to delete comments users has made on your page

    Please rest assured that our usage of the API has to go through a thorough process called an App Review and Facebook would also quickly shut down unauthorized and unsafe usage of these different permissions. The above is also only in relation to a Business connection. The Personal (Instagram only) connection has even less control over your account.

    I hope this helps provide some additional information surrounding this, and please let us know if you have any additional questions. You are also welcome to reach out to us directly using the contact form on our website if you need any additional guidance or details.

    Many thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘Not safe AT all – token compromised’ is closed to new replies.