Sarahah, an app designed to allow friends and co-workers to anonymously provide constructive criticism, launched in late 2016 and rapidly grew in popularity. Ranking highly on Apple's App Store and reaching number one positions in several countries on Google Play, the app is fairly successful.
With fame comes attention, however, as security researcher Scott Helme has disclosed a number of vulnerabilities after reaching out to Sarahah and receiving no response.
Issues range from cross-site request forgeries and persistent cross-site scripting (XSS) to being able to reset other people's passwords. Cross-site request forgery allows for a malicious link to be created and actions to be performed on behalf of an authenticated user without any user interaction required. In this case, messages can automatically be sent to a specified user just by clicking a link.
A persistent XSS exploit allows cookies to be stolen, users to be redirected to other websites and many other actions that are highly undesirable without user consent.
Another key issue pointed out is the lack of proper filtering within messages. An anonymous platform is a prime target for hate speech, threats and the ugly side of humanity to show itself. Misspelling or adding extra characters in front of flagged keywords can easily bypass the filter in place. There is no limit in place to restrict mass spam, either, forcing users to delete individual messages one by one.
One of the most annoying issues is that anybody can reset another user's password if their e-mail address is known. Instead of forcing a link to be clicked in an e-mail before a password is reset, passwords are immediately changed once a "forgot my password" action is taken.
It is advised that anyone using the app refrain from doing so until the security issues are patched. There is no browser add-on or fix yet for the mobile app to prevent exposure to potentially malicious content.