Donate to the Q13 FOX Cares and Les Schwab Holiday Toy Drive

‘Secret’ app didn’t actually keep you anonymous

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.
The Secret app is supposed to keep you anonymous. But until last week, it was possible to trace posts directly to you.

The Secret app is supposed to keep you anonymous. But until last week, it was possible to trace posts directly to you.

NEW YORK (CNNMoney) — Secret is supposed to be the anonymous social network. But until this week, Secret allowed your friends to trace every one of your posts back to you.

Hackers at Rhino Security Labs figured out a way to dupe Secret’s system.

To join Secret’s community, the app imports your contacts. It then labels which posts are from your friends.

To prevent you from tracking a particular person, Secret requires that seven of your contacts post to the network before it labels their posts.

But here’s the hack: Fill your phone’s contact list with fake people and only one real contact — your target. If you control posts coming from these dummy Secret accounts, it’s easy to spot when your real “friend” is posting.

“Poison the data on the outside, bring it in as trusted data, and voilà! You make the system work for you,” said Bryan Seely, a Rhino researcher in Seattle.

Why does it matter? Consider these recent posts.

From someone in Tel Aviv, Israel: “I am an Arab. I live near Jerusalem. I am against war, and I believe in democracy. Hamas is bad for all Muslims! Stop Hamas! If someone found out I said that, I would be executed!”

A person in Utah: “Having an invisible illness is killing me. Literally. And I’m only 24.”

And someone in Poland: “I told everyone that cat made those scars.”

The security researchers notified the San Francisco startup and say that Secret issued a fix this week. Now, if you import a bunch of fake friends and only one real one, the real one won’t be tagged as a “friend,” Seely said. It’s security through obscurity.

Secret CEO David Byttow didn’t immediately respond to requests for comment.

But consider this a reminder about a mantra in the hacker community: Nothing you do in the digital realm is truly anonymous. Eventually, it will be traced back to you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

2 comments