Hackers Have Found 42 Security Holes In Anonymous App Secret, Including A Way To Reveal A Specific Friend's Posts
Reporter Kevin Poulsen revealed the startlingly high number in a Wired piece in which Secret CEO David Byttow acknowledged that the app doesn't guarantee that users are completely anonymous at all times.
In February, Byttow and his team instituted a way for hackers to submit bugs or security issues, and 38 people have helped close 42 bugs. We don't how many of those holes involved allowing a hacker to find out who posted which secrets, but the site does say that "issues that may threaten an individual's anonymity are taken most seriously."
In his piece, Poulsen highlights a recently fixed hack that would let a user find out all the secrets that someone shared on the app:
Secret pulls in information from your contact list, so you only see posts from your friends, or from friends of friends. So, if you delete your real contact list, make a bunch of dummy Secret accounts, add the email addresses you used to make them to your blank contact list, then added someone's real email address to your contact list, the only real posts you'd see from "friends" in your Secret feed would expose the poster. Viola: You know all that one friend's secrets.
While the high number of discovered vulnerabilities might seem alarming to people who post lots of secrets that they hope will remain, well, secret, Byttow looks at it optimistically.
"As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements," Byttow told Poulsen. "We've had zero public incidents with respect to security and privacy. Everything has come through our bounty program."
Well-known VC Hunter Walk makes a similar case: