Hackers at Rhino Security Labs figured out a way to dupe Secret's system.
To join Secret's community, the app imports your contacts. It then labels which posts are from your friends.
To prevent you from tracking a particular person, Secret requires that seven of your contacts post to the network before it labels their posts.
But here's the hack: Fill your phone's contact list with fake people and only one real contact -- your target. If you control posts coming from these dummy Secret accounts, it's easy to spot when your real "friend" is posting.
 |
| Secret app is supposed to keep you anonymous. But until last week, it was possible to trace posts directly to you. |
Why does it matter? Consider these recent posts.
Related story: Hospitals can't protect patient data
From someone in Tel Aviv, Israel: "I am an Arab. I live near Jerusalem. I am against war, and I believe in democracy. Hamas is bad for all Muslims! Stop Hamas! If someone found out I said that, I would be executed!"
A person in Utah: "Having an invisible illness is killing me. Literally. And I'm only 24."
And someone in Poland: "I told everyone that cat made those scars."
CNNMoney's cybersecurity Flipboard magazine: How safe are you?
Whisper CEO shares users' darkest secrets. The security researchers notified the San Francisco startup last week, and Secret said it issued a fix immediately. Now, if you import a bunch of fake friends and only one real one, the real one won't be tagged as a "friend," Seely said. It's security through obscurity.
Secret CEO David Byttow blamed an app software update, saying the hack was "arduous," not 100% accurate and only possible for a short time.
"We're incredibly grateful to these folks for coming to us. We patched a similar issue back in May," Byttow said, adding, that the problem was fixed within 'a matter of hours.'
But consider this a reminder about a mantra in the hacker community: Nothing you do in the digital realm is truly anonymous. Eventually, it will be traced back to you.
No comments:
Post a Comment