Anonymous Sharing App ‘Secret’ Doesn’t Guarantee Complete Secrecy and Anonymity
I won’t pretend that I don’t like Secret; it’s a unique concept and is exceedingly fun to use, but if you’re one of those people who take this opportunity to dig out the things buried deep within and make the whole world see it while living under the delusion that no one will ever know, you need to think again.
Just recently, the chief executive and co-founder of Secret, David Byttow, confirmed that the said app is as vulnerable as any other app out there and a hundred per cent secrecy is not guaranteed – a realization-hammer to face of those who were led to believe the otherwise.
In a recent interview with Wired, Byttow affirmed that being anonymous certainly does not mean completely untraceable and people need to acknowledge this fact:
The thing we try to help people acknowledge is that anonymous doesn’t mean untraceable. We do not say that you will be completely safe at all times and be completely anonymous.
And you don’t just have to take Byttow word for it since a couple of self-proclaimed ethical hackers Benjamin Caudill and Bryan Seely found an exploit in the system that enabled them to link each ‘Anonymous Post’ to their respective owner’s email address.
To apprehend the simple idea behind the exploit/hack, you first need to understand how Secret works. Once you download the app, it will ask you to login with your email address, phone number, or Facebook account and will automatically link you to all of your friends using Secret. Once it is done, you will be able to see confessions from your ‘Friends’ and ‘Friends of Friends’ in a newsfeed.
Coming back to the hack, since the app does not verify your phone number or email address, Caudill/Seely deleted the real contacts, created a bunch of dummy Secret accounts, and added a real person’s email address to it:
We were able to manipulate the process of adding friends to the app and replace real ‘friends’ with dummy accounts we created, causing the application to believe we have a large group of friends and that any one friends’ secret would be anonymous. In actuality, only one real person was added – the victim – so any secrets from friends would be identified as theirs.
Caudill also stated that although Secret has pretty decent security in many areas, such sorts of flaws are common for applications, especially start-ups.
Between the high-level design and implementation of code, attackers have a lot of possible attack vectors, and developers need to cover them all. Secret actually has pretty good security in many areas, but the deck is stacked against companies today. It’s hard for them to cover all possible vulnerabilities without a lot of specialized help.
Similar to many companies out there, Secret also has hackers finding the app’s vulnerabilities and has pulled a plug on about 42 loop holes found by 30 ethical hackers.
Despite of all the promises, these apps are not as safe as they are publicized to be and may be for this is one of the reasons Judge Paulo Cesar de Carvalho of the Fifth Civil Court of Victoria is asking for Secret to be removed from Apple’s App Store and Google Play within 10 days.
What’s your take on this?