Researcher finds Yik Yak flaw that let you identify users

Secrets are never safe.

Mar 1, 2020, 3:17 pm*

Tech

Selena Larson 

Selena Larson

It’s probably a good idea to keep your secrets to yourself, considering anonymous applications aren’t so anonymous after all. A vulnerability discovered in the Yik Yak iOS application let one security researcher identify users and read all their posts, as well as take over a user’s account.

Yik Yak is one of the popular “anonymish” applications that skyrocketed in popularity this year as people everywhere assumed that posting secrets on mobile applications was a safe thing to do. Yik Yak uses a person’s location to anonymously display posts from a two-mile radius, which has fueled its growth among college and high school students—though not without quite a bit of controversy.

The app’s claim of anonymity was debunked when Sanford Moskowitz, an intern at security firm SilverSky Labs, discovered that an attacker could discern a Yik Yak user’s identification and read their posts, as well as act on behalf of the user when two people are on the same Wi-Fi network. SilverSky published their findings in a blog post on Friday.

The security firm said it alerted Yik Yak to the vulnerability on Dec. 2 and the company issued a fix the next day. 

Since Yik Yak only identifies users by their userID, a string of characters unique to each account, a malicious attacker could compromise a person’s account once they figure out the userID.

Like most applications, Yik Yak communicates with a variety of different servers for things like analytics, advertising, and tracking user behavior. Although Yik Yak uses encryption called HTTPS that safeguards that data from attacks when it communicates with its own server, Moskowitz discovered a vulnerability in communications sent to a third-party company.

The userID, along with other Yik Yak data, was traveling unencrypted to Flurry, a mobile analytics firm that disables HTTPS by default. “As a result, the userID is leaked to anyone who happens to be watching network traffic,” Moskowitz wrote in a technical blog post describing the hack.

Once Moskowitz accessed the userID, he used a jailbroken iPhone to completely take over an account. He also said it’s possible to deanonymize users based on IP addresses.

This isn’t the first time security researchers have exposed flaws in applications claiming to protect your information. In August, researchers discovered a flaw in Secret that let people figure out who was behind posts on the app. At the time, the company said it was one of 42 other security holes in the app, which had since been blocked. Snapchat suffered its own breach when hackers exposed data on millions of Snapchat users thanks to vulnerabilities in the app. 

The Yik Yak vulnerability might have been patched, but this hack serves as a reminder to anyone sharing their personal data with “anonymous” applications—your trust might be misplaced.

Photo by Sam Hawley/Flickr (CC BY 2.0)

Share this article
*First Published: Dec 8, 2014, 4:18 pm