Well that didn’t take long. The new anonymous sharing app Secret, which has morphed into Silicon Valley’s “blind item” (and a great place to troll reporters, apparently) has been hacked. Don’t worry, it’s not that serious. The hack doesn’t expose who said what – though we’re sure someone is already working on that because, hey, nothing is ever really anonymous.
However, the hack does expose that Secret may have less than ideal security measures in place, which may be concerning to those spilling their guts or trash-talking on the service. (Unless all your friends already know which secrets are yours, of course.)
The hack allows users to make requests under the context of another user, which is possible because the server doesn’t do any authentication to check that you have the correct user token. What that means, in practice, is that a user could do something like comment on another person’s post, despite it being clearly marketed as “Public Comments Disabled.”
For background, the way Secret works is by obscuring the identities of those on its service. The app asks you for your phone number and email when you sign up, and then uses your address book to tell you when something has been posted by a friend a friend of friend, or if it’s something that just became popular on Secret which made it available for all to see. In the latter case, Secret displays the item’s location, like “California” or “New York.”
You can’t typically comment on those items, since you’re not in the poster’s friend network, but the hack changes that. Here’s how it works:
[Note that in the video, I'm asking him to angle his phone so I can get a better look at the screen, which was in a separate video stream. I could see the comment he was able to post, but the quality of that video was sub-par. I'm including a screenshot instead.]
Here’s the hacked post, as referenced in the video:
The person who pointed out these apps’ faults is someone who has an app in the same broader messaging space. That’s why they were poking around. “I’m not even a security researcher,” he admitted. “Anybody can do what I’m doing.”
To be fair, the hack in question, in and of itself, is not a significant threat. And finding security holes in social apps has become par for the course these days, it seems. Just look at all the problems surrounding Snapchat, for example.
In addition, as Secret.ly co-founder David Byttow points out when we alerted him to the findings, “public comments are disabled to uphold the quality of the conversation, not as a security measure. It may change at any time.”
That may be true, but when companies are promising anonymity and privacy, we should hold them to higher standard. In other words, you shouldn’t be able to change the way software behaves in a matter of seconds with a rudimentary set of skills. (Note that manipulating and using Secret’s internal API is against its Terms of Service, would-be hackers.)
But Byttow stands firm in saying that there is no security risk here. “This is not a security issue. It’s a product decision that was obviated by misuse of our internal API, and since been fixed. We may lift the product restriction at any time to enable people to comment on any secret, after we all learn a little more about the platform.”
Lest this news has you running for Secret competitor Whisper, be aware they they might not be all that secure either. That company’s traffic is transferred un-encrypted over HTTP, including user tokens and location data.