42 Vulnerabilities Found in “Secret” App So Far

The “Secret” app is supposed to allow people to share their secrets with friends, friends of friends, and the public. Clearly, if secrets are being shared, they are no longer secret within the group to which it was revealed. However, the app claims to keep the identity of the sharer secret. According to founder David Mark Byttow, “You know who’s on the guest list, but you don’t know who is saying what.” But just how secret are posters’ identities?

White hat hackers have discovered 42 security holes in Secret since February. One of them allowed Ben Caudill to determine the posts made by a Wired reporter. The way this particular flaw was ridiculously simple. To view the secrets of your friends, you need to have at least seven friends. Caudill got around this requirement by making dummy accounts to meet this threshold. He then added only one real person: the target he wanted to unmask. Any secret shared, therefore, must have originated from the target.

According to Wired, the answer to the question of whether Secret is secure is that “it demonstrably isn’t.” Byttow himself has acknowledged that “anonymous doesn’t mean untraceable.” He adds that “We do not say that you will be completely safe at all times and be completely anonymous.” If anonymous doesn’t mean untraceable, what else could it possibly mean?

In addition the number of flaws that have been found in the app, it has raised concerned about cyberbullying. So what has the company done about the problem of cyberbullying? Here’s what an August 5 post by Secret’s founders says:

We make it easy for community members to flag a post when it violates Secret’s guidelines. When a user flags a post, they can choose the reason (bullying, self harm, etc). This helps prioritize the secrets that our moderation team reviews so we can react as quickly as possible to more serious violations.

Two days after they made this post, Fortune Magazine put Secret’s anti-bullying measures to the test. During the test, one person made a post that clearly violated Secret’s guidelines, several contributed negative comments to the post, and one flagged the post for bullying. Although the post disappeared from the stream of the person who had flagged the post, it remained publicly accessible via its permanent URL and remained in everyone else’s stream. It took an e-mail to Secret’s spokeswoman to get the post taken down. Byttow implied that the amount of time it took to remove the post was due to the company’s huge spike in growth in Israel and Brazil.

Secret joins a growing class of apps that purport to protect their users in some way. Snapchat, which I briefly wrote about in an earlier post, touts ephemerality, while Whisper allows users to anonymous send messages and receive replies. Snapchat has suffered from its own share of problems, including the recovery of deleted Snapchat photos, the circumvention of the app by Snaphack, and more. Whisper has been criticized for retrieving the user’s contact lists and being able to use the phone’s camera and video device.

The question you should be asking yourself is not just whether you can trust these apps to protect your secrets, but why you should confide in them in the first place. If you need to keep a secret, don’t do what King Midas’s barber did; don’t post it somewhere and depend on the supposed security and trustworthiness of an app to protect you. Just keep it to yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *