Today, for a brief time, a post on the secret sharing app Secret and an image on Twitter caused a twinge in the cockles of every user’s heart. The image appeared to indicate that your email — and therefore your identity — could be tied to your Secret posts.
Given that the vast majority of posts on Secret are stuff that would end up being really, really awkward to explain to friends and employers, that’s a genuine concern.
Twitter denizen Barce was one of the first to share a screenshot publicly that showed your own email (but not that of any other user) being passed as part of the stream of data from the app’s internal API.
The fact is that there was a very remote possibility of this being a problem in the long run — as it required that the ‘sniffer’ own the network that the device was on and poll all of the traffic going back and forth. And Byttow mentions that the email addresses were not actually tied to specific posts anyway.
With the help of professional app breaker Nick Arnott, we took a look at the traffic that was passing in and out of the app and saw the email ourselves — and we saw it disappear from the feed. That disappearance was no coincidence, as Secret co-founder David Byttow tells us that they removed the email from the response stream even as he was chatting with Barce on Twitter.
That the change was made so quickly speaks well to Secret’s proactive responsiveness to security issues that may crop up — which is probably a good thing given the nature of the app.
In addition, Byttow tells us that they’re ‘dropping everything’ to work on setting up a bug bounty program that will encourage security researchers and tinkerers like Barce to reach out to them directly with anything they feel is a threat to user privacy. This is a common practice with larger companies like Google and Microsoft, who have hundreds of products and millions of lines of code that can be audited more thoroughly by the crowd. And not having an active bug bounty program and a proactive demeanor about security probably didn’t help Snapchat when a user was able to hack its API to suss out user phone numbers.
The plan is to launch the program soon, even today if possible.
The fact that today is Byttow’s birthday didn’t stop him from aggressively pursuing the report and responding, so credit to him for that.
Image Credit: Bart Everson