Pressgram Just Another Instagram…Lame Sauce.
I was really excited when Pressgr.am first came out. It was supposed to cut out the Instagram middle man.
I’ve had issues getting it work with my site, in particular it would upload the image put it would often not create the post. I started digging around, running TCPDUMP on my router to capture the XMLRPC requests that should have been going between my iPhone and my web server. But I could never capture the traffic I was expecting. As it turns out, there’s a reason:
It seems that, unlike the WordPress Mobile Apps, the password that you enter in Pressgram isn’t kept private on your own device. Without noting it on a Privacy Policy or in any way notifying you that Pressgram is doing it, your password is stored in plaintext on their server.
…
So what does this all mean?
Well, it means that Pressgram is storing your credentials in plaintext (or potentially encrypted alongside a decryption key) on your behalf, without notifying you or doing anything publicly to indicate that this is the case. No matter how high entropy your passwords may be, if you hand it to someone and they get hacked, it doesn’t matter. You are vulnerable – doubly so if you use that password for other accounts as well.
To some folks, this may be a worthwhile tradeoff. But as I look at it, I don’t see it as a necessary tradeoff. Your credentials could just as easily be kept private between the app on your phone, and your WordPress site. Just have your phone upload the photo directly to your WordPress install. It wouldn’t be difficult to do, it’s already making XMLRPC requests to the server. And it fulfills the initial Kickstarter promise of “your filtered photos published directly to your WordPress-powered blog”. It also would provide the added security that if Pressgram is eventually shut down or sold off, the app would still function, as it’s not needlessly dependent on the Pressgram Servers.
To protect yourself, you may want to consider making a seperate account for your WordPress site with the Author role, and using those credentials with Pressgram, and make sure you’re using a distinct password – as well as with any service that you provide a password to.
My data should be going directly to my server. But it’s not. And that’s, honestly, troubling for an app that promised “complete creative control and publishing freedom with the ability to publish filtered photos directly to your WordPress blog!”1
For the time being, I’ve deleted Pressgram and changed my password. On to looking for a better solution.
0