- People are roasting this ‘traditional’ take on marriage with a hilarious meme Saturday 5:17 PM
- The internet just collectively realized that the Neopets of the world must be hungry Saturday 4:00 PM
- Alt-right message board 8chan was served a search warrant Saturday 3:06 PM
- O.J. Simpson just joined Twitter in the most bizarre fashion Saturday 1:20 PM
- Prominent phone-hacking firm says it can unlock any iPhone for law enforcement Saturday 12:39 PM
- Hundreds of police officers belong to extremist Facebook groups, investigation finds Saturday 9:31 AM
- How to watch Tyson Fury vs. Tom Schwarz online Saturday 8:00 AM
- ‘Late Night’ is a disappointing, tepid comedy Saturday 7:00 AM
- How to stream ‘Love It or List It’ for free Saturday 7:00 AM
- How to watch the 2019 Concacaf Gold Cup online for free Saturday 6:55 AM
- Borderlands 3 preview suggests the aging series can still hang with the cool kids Saturday 6:30 AM
- How to stream the 2019 College World Series for free Saturday 6:00 AM
- Police try to solve domestic violence by giving victims blunt kitchen knives Friday 5:40 PM
- Privacy activist Ola Bini detained for 2 months in Ecuador without charges Friday 5:01 PM
- Twitter says suspending ‘God’ for a pro-LGBTQ tweet was an ‘error’ Friday 4:14 PM
The app’s founder says it’s for a planned feature.
Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Samsung Galaxy S5 running Android 5.1.1. He used a monitoring software called Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info,” Julian told the Daily Dot. “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
Sarahah CEO Zain al-Abidin Tawfiq responded to the allegations in a tweet, saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Like most social media apps, both iOS and Android versions of Sarahah explicitly ask for a host of permissions, including contact lists. But the app failed to notify users with older Android devices that their email and contacts were being instantly uploaded to a server upon initial login.
“The address book on my phone consists of 164 contacts,” Julian wrote in a blog post. “Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users.”
You can see the Bishop Fox security analyst testing the uploads in this video:
It should be noted that iPhones and newer Android devices (Android Marshmallow or later) first pull up a prompt to “access contacts” before shipping off people’s data. The iOS version of the app even includes a pop-up hinting at the proposed feature the CEO mentioned: “The app needs to access your contacts to show you who has an account in Sarahah.”
It’s worth noting Sarahah isn’t overstepping because it uploads user’s data to its servers—that’s a common practice, especially among social apps—the issue is the information wasn’t being used for any service within the app, and according to Julian, “the app wasn’t upfront enough about what was happening.”
There is no friends list in the app, you can’t search for people by their phone number, and there is no way to see which of your contacts are using the app. As it stands, there’s no reason the app needs to upload user’s private data for any of its current functions.
It now appears the data may not have been saved, and that it was meant for a future feature, but those claims are unverifiable. We can only rely on the word of the app’s founder.
We will, however, be able to see if the data request disappears when the app is updated. As of Tuesday, Aug. 29, the data uploading continues.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.