An application that would allow users to spy on Instagram private profiles was removed from the Google Play Store after Facebook took notice.
Ghosty was an Android app that allowed people to access some private Instagram profiles, even though the social network’s terms of service prohibit this action. After Facebook threatened to send a cease and desist letter, the application was quickly removed from the store.
People who keep their social media accounts private have to trust companies to respect their wishes. A rogue app should not have access to that kind of information, and Instagram, in this case, didn’t allow such access. So how did Ghosty bypass the privacy filters?
We often hear of the takeover of some celebrity’s Instagram or iCloud accounts, but it’s incorrect to assume they were hacked. Usually, attackers gain access to other user’s accounts by guessing the password or by using already-leaked information. Year after year, the list of the most used passwords remains the same, so it’s no wonder that some popular accounts are compromised.
In the case of Ghosty, humans are also to blame. The app developer exploited the one thing that gave him access — people’s trust. Ghosty would require users to provide access to their profile and invite other people, according to a BBC report. When someone with access to a private profile joined the network, everyone would get the same access. Moreover, the application was running off a subscription model, charging money.
“Yes, this app violates our terms. This functionality has never been available through our API,” a Facebook spokeswoman told the BBC. “We will be sending a cease and desist letter to Ghosty ordering them to immediately stop their activities on Instagram, among other requests. We are investigating and planning further enforcement relating to this developer.”
While the Ghosty app disappeared from Google Play soon after Facebook’s statement, it’s unclear whether it was voluntary or if it was taken down.