Benjamin Caudill and Bryan Seely have achieved, with only the email of another user, reveal your publications on the anonymous network secrets.
What started as a random test turned out unveiling a message posted by the CEO himself of Secret, David Byttow. The news comes out the exact same day that the application is banned in Brazil.
The proposal of this application is to be able revealing gossip and personal confessions that you cannot acknowledge or simply cannot disclose. Removing the underlying ethics In this application, they have found that Caudill and Seely could, by directing email or phone number from any Secret user, reveal identity in all your posts.
Fortunately for Secret users, Caudill and Seely have made the details of the vulnerability available to Secret. The CEO of Secret, David Byttow, confirmed the vulnerability, and said that the company has blocked the attack system and they have begun a revaluation of the system. «As far as we can tell, this vulnerability has not been exploited in a meaningful way, »Says Byttow. «But we still have to take steps to determine scope. "
«As hackers reveal these types of vulnerabilities through our rewards program HackerOnewe just make more and more progresss, ”says Byttow. «We had zero public incidents regarding security and privacy. Everything has come through our rewards program «.
How Secret works
Secret is based on the anonymity from the crowd to camouflage the identities of its users. When it is first installed, you cannot see the messages from your social circle until you give it access to your phone's contact list. Then the app checks all the email addresses and phone numbers on Secret's user list, and you start following them.
You must be following at least seven friends before you can view your anonymous messages. Even then, you don't know who the contacts are who are using the app. The problem is that agenda is under your control. And that's what Caudill and Seely use to their advantage.
The trick
Caudill's first step was create a group of fake secret accounts. Then it delete contact list of the iPhone, and add the seven fake email addresses as contacts. When you finish, you add the email of the person whose secrets you want to find out.
Then the account is made in Secret and you just have to wait, Any message that you do not put with your false accounts or the authentic one, has been put by the other person.
Then you can get someone's secrets if you know their email address, but don'tor you can enter Secret and unmask the user behind a specific message.
What cannot be is that, calling himself "Secret", as soon as he enters he asks for an email to register, and access to the phone book. It even gives the option of registering with the phone number. With all these elements, the application, from «Secret», has little.
You can't describe it more clearly….
Thanks for comment !
It needs my email and my phone book to start using it, what's a secret about this? I'm already putting a name and a face to my secrets for the developers, and then things like this happen ...
How do I create the fake accounts?