- People are demanding the man who filmed the killing of Eric Garner be freed with #FreeRamsey Monday 7:36 PM
- Billie Eilish’s ‘Bad Guy’ unseats ‘Old Town Road’ from the No. 1 spot Monday 6:11 PM
- People think Ghislaine Maxwell was Photoshopped in those In-N-Out photos Monday 5:41 PM
- People are transfixed by a TikTok cat dancing along to ‘Mr. Sandman’ Monday 4:52 PM
- Nazi troll pretending to be antifa in Portland gets outed by internet Monday 4:15 PM
- ‘Dear White People’ season 3 reflects the exhaustion of the times—for better or for worse Monday 3:59 PM
- ‘Seinfeld’ and ‘Friends’ fans feud over which sitcom is better Monday 3:57 PM
- Anti-abortion centers are getting around Google’s misinformation policy Monday 3:45 PM
- Twitter, Facebook remove Chinese accounts spreading Hong Kong misinformation Monday 3:41 PM
- ‘Mindhunter’ season 2 offers no happy endings Monday 3:19 PM
- How to watch ‘The Righteous Gemstones’ online Monday 3:03 PM
- ‘Mindhunter’ season 2 brings out the memes Monday 2:59 PM
- Rumor suggests the X-Men might battle the Avengers on-screen Monday 2:54 PM
- The CDC is investigating cases of severe lung damage linked to vaping Monday 2:08 PM
- How to stream the 49ers vs. Broncos on (preseason) Monday Night Football Monday 1:24 PM
Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Samsung Galaxy S5 running Android 5.1.1. He used a monitoring software called Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info,” Julian told the Daily Dot. “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
Sarahah CEO Zain al-Abidin Tawfiq responded to the allegations in a tweet, saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Like most social media apps, both iOS and Android versions of Sarahah explicitly ask for a host of permissions, including contact lists. But the app failed to notify users with older Android devices that their email and contacts were being instantly uploaded to a server upon initial login.
“The address book on my phone consists of 164 contacts,” Julian wrote in a blog post. “Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users.”
You can see the Bishop Fox security analyst testing the uploads in this video:
It should be noted that iPhones and newer Android devices (Android Marshmallow or later) first pull up a prompt to “access contacts” before shipping off people’s data. The iOS version of the app even includes a pop-up hinting at the proposed feature the CEO mentioned: “The app needs to access your contacts to show you who has an account in Sarahah.”
It’s worth noting Sarahah isn’t overstepping because it uploads user’s data to its servers—that’s a common practice, especially among social apps—the issue is the information wasn’t being used for any service within the app, and according to Julian, “the app wasn’t upfront enough about what was happening.”
There is no friends list in the app, you can’t search for people by their phone number, and there is no way to see which of your contacts are using the app. As it stands, there’s no reason the app needs to upload user’s private data for any of its current functions.
It now appears the data may not have been saved, and that it was meant for a future feature, but those claims are unverifiable. We can only rely on the word of the app’s founder.
We will, however, be able to see if the data request disappears when the app is updated. As of Tuesday, Aug. 29, the data uploading continues.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.