Your secrets are still safe with Secret, the popular new iPhone app that allows you to anonymously share whatever is on your mind to friends (and friends of friends) from your contact list.
A coder named @barce got pulses raising Wednesday afternoon after he tweeted out the following message:
Trust no one. Secret exposes your email & hackers can tie your email to your secret posts. #secretapp pic.twitter.com/C7P0eRvbsN
— Barce (@barce) February 12, 2014
The vulnerability, @barce claimed, could be exploited using a “man in the middle” attack to retrieve a user’s personal information. The attack happens when an “intruder uses a program that appears to be the server to the client and appears to be the client to the server,” Margaret Rouse of SearchSecurity states. “The attack may be used simply to gain access to the message, or enable the attacker to modify the message before retransmitting it.”
This message caught the attention of entrepreneur and former Mashable Editor Ben Parr.
Did someone figure out whose secrets are whose on Secret? pic.twitter.com/qYNKzxtxAv
— Ben Parr (@benparr) February 12, 2014
Minutes after @barce and Parr’s tweets were sent, David Byttow, cofounder of Secret, calmed everyone down.
“Nobody should be concerned,” Byttow told the Daily Dot. “This particular person simply set up a ‘man in the middle’ proxy on their home network and sniffed our internal API. Occasionally, the app makes a call to the server that returns user-specific information for that session. This person asked for the user information, which returned their own email address.” Emphasis ours: Byttow made a point to clarify that this hack will only yield the hacker’s identifying information, no one else’s.
In other words, the identities and information of other Secret users are still a secret.
@barce @niket anyway — it’s gone now. So, thanks for spotting it. But next time, probably be a little bit more clear on the actual threat.
— David Byttow (@davidbyttow) February 12, 2014
Byttow also announced that his team is working on a security bug bounty program to encourage coders like @barce to sniff out vulnerabilities in the app.
This Secret scare comes little over a month after 4.6 million Snapchat usernames and phone numbers (including my own) were dumped online.
Photo by Kevin Shorter/Flickr (CC BY 2.0)