THE POPULAR iOS and Android Secret app that lets users speak anonymously with friends isn't so secret after all, security experts have revealed by demomstrating a hack.
Launched in the UK in April after much success in the US, Secret is the latest app to make it big with social media users. It's basically a mixture of Instagram and Twitter, but all posts are anonymous. Its founders claim it was established on the principle that people can "be more authentic, empathetic and self-aware among friends" when their identity is kept private.
However, security researchers at Rhino Security Labs have demonstrated that it's possible to hack the app and thus reveal the identities of the posts in a user's feed by using personal email addresses and "dummy" accounts.
"This is exactly the kind of application that needs to spend some time under the magnifying glass. A service encouraging people to share their most private thoughts under the aegis of anonymity needs to ensure this anonymity is maintained," said Rhino Security Labs co-founder Benjamin Caudill in a blog post.
"After a little digging, we found a way to circumvent Secret's layers of anonymisation and expose the secrets of a user of our choice - searchable by phone number or email."
Caudill explained that the hack can be performed to identify the names of people behind the posts.
Upon signup, Secret pulls a list of contacts from the user's Facebook account or phone and automatically adds these as potential friends. If there's an email or phone number match, they are added to the "friends" list. To prevent users from just adding one person at a time, Secret refuses to show any secrets of friends unless they've got at least 10 of them, meaning they can only guess and speculate at whose closeted skeleton is whose.
In demonstrating the hack, an example of three posts seen in Caudill's friends list were: "This is the third girl I've dated in three weeks, and none of them know about each other"; "I'm late. I don't know how to tell my husband. Especially since he had a vasectomy"; and, "Is Lucy the cutest dog?"
Caudill was able to identify the names of his friends behind the first two posts and also learned that the third post about "Lucy" came from the founder of Secret, ex-Googler David Byttow.
To perform the hack, Caudill created a new Secret account, created a bunch of dummy friends and then added one single genuine person as a victim to see what secrets he or she had posted.
"Now, obviously this would work, albeit slowly, if you wanted to spy on just one or two people, but it isn't practical for more large-scale operations. Luckily, Secret offers an API with some vulnerabilities of its own that allowed us to automate the process of creating fake accounts rapidly," explained Caudill.
"In order to carry out this exploit we first create [the fake] account. This is pretty easy, as Secret doesn't require verification of a phone number or email, [and] obviously this makes the process a whole lot easier to carry out en masse.
"Using a standard HTTP proxy to snag the outgoing 'user account creation' packet, we set up a basic script to reply the packet several times - once for each of the [fake friends] accounts - simply iterating the usernames for each."
After running the script once, Caudill managed to verify all the fake accounts that were made. With the fake friends as well as a victim in his address book, he was able to finish the registration process for his main fake account himself - uploading the contacts to the server.
"Our 'friends' feed quickly populates with secrets from friends and friends and friends since our fake accounts have no secrets of their own, all those secrets from 'friends' are really only from our victim user," added Caudill. "We can now see every single one of our victim's secrets, all without their knowing that an attack ever took place."
Caudill said Rhino Security Labs worked closely with Secret to resolve the vulnerability and only broke story about the bug once it had been fixed. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted