If you’re still operating under the misguided assumption that particular things you say or do on the Internet are private, pay attention. In all likelihood, nothing of yours that exists online, in your inbox, or on your apps is actually safe from prying eyes—and that includes anything you’ve shared to Secret.
Secret, a misleadingly named anonymish (yeah, we said it) social platform, is vulnerable to hacks just like everything else in the universe. As Kevin Poulsen reports for Wired, the app was recently vulnerable to an incredibly obvious hack, demonstrated by Bryan Seely and Benjamin Caudill, white-hat hackers with Rhino Labs. When you sign up, Secret populates your customized Secret world using email addresses and phone numbers stored locally on your phone. You have to have seven friends on Secret to make the app show you posts by your friends—a built-in safeguard so users can’t immediately figure out who is sharing what.
To make the hack work, you needed to delete all contact information from your device, leaving only the the email address of your target and the email address of six more bogus Secret accounts (which you’d create and register for this purpose). Open the app and voilà: You’d see only secrets shared by your target. Supposedly, accounts using Facebook to sign up weren’t vulnerable to the attack, though we’re not sure how that would break down if you messed around with those useless email addresses that Facebook hands out to every user.
Given the hack’s simplicity, and the high-stakes content shared on Secret—Silicon Valley scandals, infidelity, strange sexual predilections… you name it—it’s actually a wonder no one outed any sensitive secrets that way.
Secret CEO David Byttow told Wired his company has confirmed and blocked the attack, which is one of 42 security holes blocked since February. “As near as we can tell this hasn’t been exploited in any meaningful way,” he said. “But we have to take action to determine that.”
If anything, the hack is a useful reminder that nothing is as private as it appears—even stuff you confide in an app bold enough to call itself Secret.