Popular anonymous confessional app Secret isn't so secret after all. That's because a pair of security researchers with Rhino Security Labs recently uncovered a logic hack that allowed them to match "anonymous" users with their scandalous posts.
As it turns out, the hack was extremely easy to pull off. You see, Secret shows a stream of posts from friends and friends-of-friends anonymously - so long as a user has more than eight friends using the app. The latter requirement is set in place to prevent people from being able to be identified easily.
Benjamin Caudill and Bryan Seely found a pretty easy workaround, however. Using a spare iPod Touch, they downloaded the app and created dozens of "fake" friends with accounts. They then added a single real friend to each account.
Because all of the fake friends were dummy accounts, only the real friend's account was posting. At that point, they knew that anything that was posted in the stream came from them.
Creating around 100 or so fake accounts would have been a time consuming process so they wrote a script to automate the process using a loophole in Secret's back-end.
Fortunately for Secret and its users, the hackers did the right thing and reported the bug to the company which promptly patched it. Had they went the other way, the exploit could have easily commanded six figures on the black market.