QuizUp Sends Personal User Info To Strangers, Company Says Bug Contributed To Weakened Security

It’s only been two-and-a-half weeks since hit mobile trivia app QuizUp began to take the world by storm. It’s fun, and it’s addictive*… but if you haven’t started playing yet, you might want to wait a little bit before downloading the app and connecting it to Facebook. That’s because one software developer claims to have uncovered what he views to be privacy issues with the way that QuizUp stores and shares personal information. Updates below.

Kyle Richter, a software developer and CEO of Dragon Forged Software (full disclosure: a competitor of sorts to QuizUp), wrote a blog post today detailing how QuizUp shares the personal information of its users with their opponents in plain text. According to Richter, that information includes but is not limited to “full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is.”

We spoke to Richter about his article, and asked additional questions to follow up after we received a response from Plain Vanilla, the publishers of QuizUp.

It’s important to note that the information users have access to is not that of friends, but of strangers that they’re playing matches against, Richter writes. Facebook tokens are also sent over SSL but in plain text, which means that if you’re tech savvy enough you could intercept it, though the app does not have posting permissions.

Just as importantly, QuizUp appears to store your personal contact data after you give it access to your address book, presumably to invite other users to join you in playing the game. Richter writes:

“When access is granted, all of your contact’s emails are sent, once again in plain text, to QuizUp’s servers. This is done under the deception that you are hand inviting your friends on a one by one basis via SMS, while in the background it is copying and transmitting their contact data.”

As a note, the data transmitted was done so over SSL, and required interception and translation by a proxy tool. Not something likely to happen to most users.

These are serious allegations, especially for an app that relies on social connections to help spread its virality. But it’s not the first time we’ve seen this type of activity: Transmitting user contact data  in a manner that is interceptable to the company servers is part of what landed Path in hot water with regulators a year and a half ago. After deleting all personal contact info from its servers, Path eventually settled wth the FTC over those privacy violations. To be clear, QuizUp is not retaining any contact data on their servers, which was another major component of the Path case, and it asks explicitly for user permission to use the data to find friends.

Plain Vanilla CEO Thor Fridriksson spoke to TechCrunch via email, saying that there were many untrue statements in Richter’s article, starting with the implication that QuizUp sends user data in plain text. “Privacy is incredibly important to us,” he said. “We never send or receive any data in plain text to our servers.”

And that’s true, to a degree. The information is sent over SSL, which is a good basic security measure, but it is transmitted in plain text. Text that Richter says he easily intercepted using a tool on his computer. Some of that text was easily readable in one of the default storage files on an iOS device, accessible without any specialized tools.

Fridriksson’s response to us included the note about SSL transmission, but admitted that there were security flaws in the way the app handled a user’s information.

“Due to a bug in our third-party network library this encryption could be weakened on some occasions. This issue has been addressed in an update waiting review at Apple,” Fridricksson’s statement sent to us says. “User’s passwords are hashed before we store them in our databases. The user’s Facebook access token is never stored in plain text on the client.”

Though the token does not appear to be stored on the device, it was transmitted in plain text, un-hashed. Richter showed us one of the access tokens sniffed from the device. And strangers’ information from their Facebook profiles was indeed stored in plain text on the device in a default info file.

Plain Vanilla also admits that it was a mistake to transmit address books without hashing them:

Our user’s address books are not stored on our servers and only used temporarily to help us find your friends. It was a mistake to not hash the contents of the address book before sending to our servers and we are currently changing the client application so it hashes the address book contents before sending to our servers.

This is where the statement from Plain Vanilla gets a little fuzzy. It says that they “discovered a slight server error which inadvert[antly] leaked some player’s profile data to other users IF they had modified their client application in order to decrypt the communication. This was an developer’s error and has been fixed already on our servers.”

Richter did not modify his client in any way, simply read the traffic that was already being sent. And the local file which contained user information did not require any decryption to read. And indeed, the information is posted right on Richter’s site (though it is censored). This would not be possible if it was not stored or sent in plain text.

Though Plain Vanilla says Richter never sent them any emails, we were shown the original email sent to the company’s dedicated privacy address by Richter.

Fridricksson’s statement to us concludes:

We will be developing with our community stronger privacy features to ensure that everyone can enjoy QuizUp without any privacy concerns. We never received any emails from Kyle Richter but we welcome any concerns and will work with any security experts in order to make the QuizUp community a better and more secure place.

Transmission of contact data in interceptable fashion, for the record, was exactly the kind of behavior that got Path in hot water, and sparked a Congressional inquiry, though Path also stored address books on its servers, which QuizUp does not.

Richter notes that the app is extremely popular, with something like 1.5M downloads in the store over the past couple of weeks. The app’s issues have the potential to affect a lot of people.

We have a journeyman’s familiarity with the processes used by Richter to suss out the traffic and data storage issues of QuizUp. We’ve actually used them in the past to duplicate the Path issues for reporting purposes and to uncover similar bad behavior by other popular apps like Facebook, Foursquare and more last year.

The allegations come as QuizUp has enjoyed several weeks sitting near the top of the Apple App Store rankings. Also, it comes not long after the company announced that it had raised $2 million from Sequoia Capital. Other investors include Greycroft Partners, IDG Ventures, Tencent, BOLDstart Ventures, CrunchFund (which is owned by TechCrunch founder Michael Arrington), and MESA+.

Update: TechCrunch spoke to Fridricksson further about the updates to QuizUp. He says that a server side fix has already been made to the way the app transmits any personal information. The next time any user opens the app, they will not transmit information in the way that made it so easy to intercept before.  An update to the app is already in review with other security fixes. As far as the local cache of data, Plain Vanilla says that it does not contain any information other than the basic info you choose to share with those you’ve authorized in the app as friends.

This article has been updated to clarify the differences between the Path case and QuizUp’s, to note that text was transmitted over SSL and to reinforce that it never stored user contacts on its servers.

Update #2: Fridriksson followed up with a public Facebook post discussing the security-related concerns and thanking Richter for bringing them up. The post detailed the changes that Plain Vanilla has made to address the issues and what it’s doing going forward.

In conclusion, he wrote:

“We’re sorry for this. While the issues are not as serious as alleged, we will do better to ensure QuizUp is a secure community for you to connect with people from around the world through shared passions and interests.”

* You can see that by Ryan’s Level 45 ranking in The Wire trivia.