The idea behind Secret is that you can share anything to your social circle with the comfort of total anonymity. Users’ identities are kept hidden, and that’s what’s supposed to make the app enjoyable or whatever.
As it turns out, it’s not that hard to see who someone actually is on Secret. The catch is that you need their email address.
Wired spoke with a white hat hacker named Ben Caudill who cracked Secret’s veneer of anonymity with some simple contact spoofing on his iPhone.
The way Secret works is that you give it access to your contacts list or Facebook account to find other people you know using the app. Their posts are then aggregated in the app anonymously. For the purpose of his hack, Caudill used the contacts tie-in to exploit Secret.
Caudill’s first step was to create a bunch of fake Secret accounts. This is easy, because Secret doesn’t make you verify your e-mail address or phone number. Caudill wrote a simple script to rapidly create a pool of 50 accounts for his experiments, but he only needed seven to meet Secret’s secret-sharing threshold.
Next, he deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask—me.
Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.
The only way for his hack to work is if you have the person’s email address, but that wouldn’t be difficult if they’re in your contacts to begin with.
Caudill has already altered Secret of the hack, so expect a bug fix in the near future. Secret has said that it’s releasing an update with Flickr image search, polls, and other privacy changes.
Oddly enough, a Brazilian court recently forced Apple to remove Secret from the App Store there because anonymity is illegal in the country. After this hack, perhaps Brazil should reconsider the decision.