People have been airing their dirty laundry and slinging shade on Secret — an anonymous sharing app — for months now. Who could blame them? It’s fun, it’s freeing and accountability basically doesn’t exist there… or so some may believe. Kevin Poulson at Wired spoke to a security researcher named Ben Caudill and the takeaway is clear: your secrets aren’t necessarily as secret as you think. And the kicker? The process of tying real people to the things they said was a shockingly simple one if you understand how Secret finds and displays people’s messages.
You see, once you have at least seven people in your phone’s contact list using Secret, the app will tag those posts as coming from a “friend”. But what if only one of those contacts is actually real? That’s what Caudill seized on: by clearing out his contact list, and adding the target’s contact information along with a handful of dummy accounts he created, any secret the target posted would be properly tagged as a friend post. Voilà — a relatively quick and easy way to unmask just about whoever you want… as long as you can scrounge up their email address and phone number.
As Wired points out, the trick definitely worked, but only in one direction. Thankfully, there’s still no (publicly disclosed) way to suss out a user’s identity starting from a secret they’ve already shared with the world. Secret CEO David Byttow confirmed that this particular issue has been taken care of, which makes it one of the latest in a long list of bugs (42, to be precise) that’ve been closed since Secret opened up its bug bounty program six months ago. Still, we can’t help but wonder how long it’ll be before someone without white-hat scruples stumbles upon some security flaw and starts going to town with it. Remember, Secret users: you can always unlink your comments if you start getting cold feet.
Comments
Source: Wired