Researchers use logic hack to match anonymous users with their scandalous posts on Secret

Shawn Knight

Posts: 15,240   +192
Staff member

hackers unmask anonymous posters secret including app founder app exploit hacker logic hack

Popular anonymous confessional app Secret isn't so secret after all. That's because a pair of security researchers with Rhino Security Labs recently uncovered a logic hack that allowed them to match "anonymous" users with their scandalous posts.

As it turns out, the hack was extremely easy to pull off. You see, Secret shows a stream of posts from friends and friends-of-friends anonymously - so long as a user has more than eight friends using the app. The latter requirement is set in place to prevent people from being able to be identified easily.

Benjamin Caudill and Bryan Seely found a pretty easy workaround, however. Using a spare iPod Touch, they downloaded the app and created dozens of "fake" friends with accounts. They then added a single real friend to each account.

Because all of the fake friends were dummy accounts, only the real friend's account was posting. At that point, they knew that anything that was posted in the stream came from them.

Creating around 100 or so fake accounts would have been a time consuming process so they wrote a script to automate the process using a loophole in Secret's back-end.

Fortunately for Secret and its users, the hackers did the right thing and reported the bug to the company which promptly patched it. Had they went the other way, the exploit could have easily commanded six figures on the black market.

Permalink to story.

 
So... they patched the ability to make lots of user accounts quickly. How does this solve the logic problem to begin with in which there are a lot of fake accounts?
 
I guess Benjamin Caudill and Bryan Seely are off the NSA's Christmas card list now for reporting it to the company instead of them.
 
Back