Secrets Aren't Safe As You Thought

Researchers hacked the Secret

Security researchers from rhino security labs hacked the popular Secret app and they can reveal the identities of users.

Secret app is a mobile app allows users to post their secrets online anonymously.Company offers anonymous posting without exposing the identity. But now the researchers hacked the app to reveal identities and made searchable by phone number or email.

How They Hacked The Secret App ?

Security researchers said, "After a little digging, we at Rhino Security Labs found a way to circumvent Secret.ly’s layers of anonymization and expose the secrets of a user of our choice – searchable by phone number or email. The exploit, in other words, lets you see what other – supposedly anonymous – users have posted ".

They explains how they hacked the secret app :

Secret app hacked

If we can create a new secretly account (let’s call this account BadGuy), create a bunch of dummy friends (BadGuysFriends 1 through 10), and then add one single genuine person (the victim), we can see what secrets the victim has posted.

Now, obviously this would work (albeit slowly) if you wanted to spy on just one or two people, but it isn’t practical for more large-scale operations. Luckily (or unluckily), Secret.ly offers an API with some vulnerabilities of its own that allowed us to automate the process of creating fake accounts rapidly.

In order to carry out this exploit we first create the BadGuy account. This is pretty easy, as Secret.ly doesn’t require verification of a phone number or email – obviously this makes the process a whole lot easier to carry out en masse. Using a standard HTTP proxy (Burpsuite) to snag the outgoing ‘user account creation’ packet, we set up a basic script to reply the packet several times – once for each of the BadGuysFriends accounts – simply iterating the usernames for each.  Remember that there was no verification of phone numbers and emails when using the API, so fake emails and phone numbers are not a problem!

So, after running our little script once, we’ve got BadGuy and his ten friends, all verified Secret.ly users.  While there’s no ‘official’ upload feature for new users, the phones contact list is uploaded upon a new account creation (as mentioned above).  With BadGuysFriends 1-10, as well as a victim, in our address book, we can finish the registration process for Badguy himself – uploading the contacts to the server.  Our ‘friends’ feed quickly populates with secrets from friends and FoF (friends and friends) – since our fake accounts have no secrets of their own, all those secrets from ‘friends’ are really only from our victim user. We can now see our every single one of our victim’s secrets, all without their knowing that an attack ever took place.

They reported the flaw to Secret.ly and helped them to fix the flaw.

No comments

Powered by Blogger.