The secrets you share on Secret, the popular app that allows people to share messages anonymously within their circle of friends, friends of friends, and publicly, can be easily attributed to you if the attacker knows the email address you used to make an account.
The proof-of-concept attack has been devised and performed by white hat hackers Ben Caudill and Bryan Seely, the co-founder and CTO (respectively) of Rhino Security Labs, and it’s pretty easy to execute.
They only needed to create seven dummy Secret accounts, delete their entire iPhone’s contact lists, add the seven fake e-mail addresses as contacts, and then add the target’s email address.
Next, they had to create a new Secret account and sync their contacts, which allowed them to be in a “circle of friends” that share their secrets. But since seven of the accounts in the circle are fake, it stands to reason that any secret “from a friend” that is shared will be coming from the only real account: the target’s.
The good news is that this particular vulnerability can’t be exploited in reverse: you can’t see a random secret and discover who posted it.
The flaw that allowed this attack to be performed has been fixed already, as the researchers shared their discovery with the company behind the app, via their bug bounty program, which is apparently very successful.
“As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements,” Secret CEO David Byttow commented for Wired. “We’ve had zero public incidents with respect to security and privacy. Everything has come through our bounty program.”
He also says that there is no indication that other hackers have come up with the exploit and used it. Nevertheless, he cannot prove definitely that no-one hasn’t.
Secret users should keep in mind that no system is secure enough. The best way to keep a secret is to keep it, not share it.