Turns out the Secret App isn't so secret
For months, users have been spilling their guts on the anonymous sharing app Secret, but perhaps some of them are regretting this decision. White hat hackers have found serious flaws in the privacy of Secret, making the secrets not as private as we may have thought.
Since February, 38 white hat hackers found 42 security holes in the app, which would allow a user to link a secret post to your name. Co-founder of Seattle-based Rhino Security Labs, hacker Ben Caudill and his CTO and Google Maps manipulator Bryan Seely discovered a security hole by simply using e-mail.
Users cannot see posts from people in your social circle until you allow access to your contact list. With this access, the app sorts through your e-mail addresses and numbers to find other Secret users. The app automatically has you following them, but you need seven friends at minimum to see your friends' posts, although you technically don't know who exactly is sending each secret.
Caudill created 50 fake Secret accounts and deleted his contact list on his iPhone, adding the e-mail addresses of seven of the fake accounts. Lastly, he added the e-mail address of one real person whose secret he wanted to unveil. After creating his own Secret account, Caudill was able to see exactly what secrets the one real person was posting because the rest of his feed was filled with secrets from his own dummy accounts.
Caudill and Seely revealed the security hole to Secret CEO David Byttow hoping they qualitfy for Secret's six-month old bug bounty program.
"As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements," says Byttow. "We've had zero public incidents with respect to security and privacy. Everything has come through our bounty program."
The security hole only works one way. Users would not be able to link the user behind a specific secret.
Secret has now blocked the attack in this security hole, and the start-up app takes pride in learning from its mistakes and trying new things. "The thing we try to help people acknowledge is that anonymous doesn't mean untraceable," says Byttow. "Secret is not a place for unlawful activity, or to make bomb threats or share explicit imagery. ... We do not say that you will be completely safe at all times and be completely anonymous."
Secret has also tightened its policies regarding cyber bullying. Users cannot post a secret that includes a person's name, unless they are a public figure. Users cannot upload photos from their camera roll, but can take an image in real-time and they do have access to many pre-approved Flickr images.
Despite these setbacks, Secret seems to have a long road ahead trying to combine sharing and anonymity all in one app.