An Interest In:
Web News this Week
- April 26, 2024
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
February 8, 2014 02:32 am GMT
Original Link: http://feedproxy.google.com/~r/Techcrunch/~3/Us51h1JxmyY/
Secret Hits A Hot App Milestone With Discovery Of First Security Issue
Well that didn’t take long. The new anonymous sharing app Secret, which has morphed into Silicon Valley’s “blind item” (and a great place to troll reporters, apparently) has been hacked. Don’t worry, it’s not that serious. The hack doesn’t expose who said what – though we’re sure someone is already working on that because, hey, nothing is ever really anonymous. However, the hack does expose that Secret may have less than ideal security measures in place, which may be concerning to those spilling their guts or trash-talking on the service. (Unless all your friends already know which secrets are yours, of course.) The hack allows users to make requests under the context of another user, which is possible because the server doesn’t do any authentication to check that you have the correct user token. What that means, in practice, is that a user could do something like comment on another person’s post, despite it being clearly marketed as “Public Comments Disabled.” For background, the way Secret works is by obscuring the identities of those on its service. The app asks you for your phone number and email when you sign up, and then uses your address book to tell you when something has been posted by a friend a friend of friend, or if it’s something that just became popular on Secret which made it available for all to see. In the latter case, Secret displays the item’s location, like “California” or “New York.” You can’t typically comment on those items, since you’re not in the poster’s friend network, but the hack changes that. Here’s how it works: [Note that in the video, I'm asking him to angle his phone so I can get a better look at the screen, which was in a separate video stream. I could see the comment he was able to post, but the quality of that video was sub-par. I'm including a screenshot instead.] Here’s the hacked post, as referenced in the video: The person who pointed out these apps’ faults is someone who has an app in the same broader messaging space. That’s why they were poking around. “I’m not even a security researcher,” he admitted. “Anybody can do what I’m doing.” To be fair, the hack in question, in and of itself, is not a significant threat. And finding security holes in social apps has become par for the course these days,Original Link: http://feedproxy.google.com/~r/Techcrunch/~3/Us51h1JxmyY/
Share this article:
Tweet
View Full Article
Techcrunch
TechCrunch is a leading technology blog, dedicated to obsessively profiling startups, reviewing new Internet products, and breaking tech news.More About this Source Visit Techcrunch