Secret app hack allows access to personal data

Privacy signs

Popular iPhone and Android app Secret has been hacked in a controlled experiment, allowing security experts to get hold of data.

The app, which allows you to post statements anonymously to your friends and friends of friends was hacked by security researchers at Rhino Security Labs who were able to reveal the identities of posters using a flaw in the app's security.

The company's co-founder, Benjamin Caudill, said in a blog post: "This is exactly the kind of application that needs to spend some time under the magnifying glass. A service encouraging people to share their most private thoughts under the aegis of anonymity needs to ensure this anonymity is maintained."

He then went on to explain how Rhino Security Labs was able to circumvent the application's anonymity protocol and then search for a user via their phone number or email address - the two ways you are able to add new users to your account.

The process of hacking into Secret was easy, Caudill claimed. He simply created a new account, created some dummy friends as contacts on his iPhone and then added one real person as a 'victim'.

"Using a standard HTTP proxy to snag the outgoing 'user account creation' packet, we set up a basic script to reply the packet several times - once for each of the [fake friends] accounts - simply iterating the usernames for each."

Using this method, the white-hat hackers were able to trick the app into thinking it has the required 10 friends, allowing it to see what the real contact was posting, in addition to their friends.

Although Rhino Security Labs said it has not found out whether the information could be used in a 'meaningful way' ie., whether your personal information could be at risk of being stolen, it does mean your secrets aren't as safe as you thought.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.