Simple hack shows Secret posts aren’t as anonymous as they seem

secret_app_screenshot

The idea behind Secret is that you can share anything to your social circle with the comfort of total anonymity. Users’ identities are kept hidden, and that’s what’s supposed to make the app enjoyable or whatever.

As it turns out, it’s not that hard to see who someone actually is on Secret. The catch is that you need their email address.

Wired spoke with a white hat hacker named Ben Caudill who cracked Secret’s veneer of anonymity with some simple contact spoofing on his iPhone.

The way Secret works is that you give it access to your contacts list or Facebook account to find other people you know using the app. Their posts are then aggregated in the app anonymously. For the purpose of his hack, Caudill used the contacts tie-in to exploit Secret.

Caudill’s first step was to create a bunch of fake Secret accounts. This is easy, because Secret doesn’t make you verify your e-mail address or phone number. Caudill wrote a simple script to rapidly create a pool of 50 accounts for his experiments, but he only needed seven to meet Secret’s secret-sharing threshold.

Next, he deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask—me.

Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.

The only way for his hack to work is if you have the person’s email address, but that wouldn’t be difficult if they’re in your contacts to begin with.

Caudill has already altered Secret of the hack, so expect a bug fix in the near future. Secret has said that it’s releasing an update with Flickr image search, polls, and other privacy changes.

Oddly enough, a Brazilian court recently forced Apple to remove Secret from the App Store there because anonymity is illegal in the country. After this hack, perhaps Brazil should reconsider the decision.

  • yarens

    OK. I have 1024 contacts on my phone. I number them sequentially in binary, using 10 digits. Now I create 10 face Secret accounts. For each contact, I look at its assigned binary number and add it to the contact list only of those accounts where a 1 appears. Each account will have 512 contacts and should look perfectly legitimate. Now, when I see a secret from a friend I check in which accounts it shows up, create a binary number with a 1 for each account its in and 0 where its not. The resulting binary number is the one assigned to the contact who’s the source of the secret. Pretty simple.

About the author

Alex HeathAlex Heath is a senior writer at Cult of Mac and co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , |