BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Hackers Unmask Anonymous Posters On Secret, Including App's Founder

This article is more than 9 years old.

"This is the third girl I’ve dated in three weeks, and none of them know about each other."

"I’m late. I don’t know how to tell my husband. Especially since he had a vasectomy." 

"Is Lucy the cutest dog?" 

These are recent posts on the mobile confessional app Secret, posts which typically veer toward the salacious and should all have one thing in common: they’re anonymous and untraceable. Yet in the above three cases they weren’t.

Security researchers Benjamin Caudill and Bryan Seely were able to identify the names of their friends behind the first two posts. They also learned that the third post about “Lucy” came from the founder of Secret, ex-Googler David Byttow.

After months of research, Caudill and Seely figured out how to read what their contacts were posting on the app, which could mean insightful tidbits into relationship problems, emotional issues and workplace gossip. “It was like having a voice recorder, or bug in a confessional,” says Caudill, CEO of Rhino Security Labs. The hack was based on a logic flaw in the way Secret designed its back end -- one it has now fixed. But, Caudill adds: “I would be surprised if I was the first one to see this.”

Secret did not respond to requests for comment.

Secret is one of the leading mobile apps in a growing field of anonymous posting services like LA-based Whisper and Latvia-based AskFM, which claims more than 100 million registered users. Secret, based in San Francisco, appears to have users in the low-single-digit millions and in nine months of operation has reportedly reached a valuation of $100 million. Anonymous social apps are a backlash to the cheerfully-curated world of Facebook, a place where people can vent, hook up for sex or drop the latest Silicon Valley gossip. But as the hackers have demonstrated, such apps can’t always be trusted 100%.

Secret has dealt with security flaws before, but none have been known to identify users as Caudill and Seely have done. For now, regular users of Secret can be assured that the duo reported the flaw to Secret last week and the app’s back-end team quickly patched it.

Before that though, Caudill and Seely had tied around two-dozen friends and family members to Secret posts. Most knew they were part of a spying test, and a couple didn’t. “There were lots of things about relationships and salaries,” says Caudill. “I found out that a friend of mine had been waffling on moving and had apparently made the decision but didn’t want to tell anybody yet.”

Here’s how the hack worked. Secret typically shows a stream of posts from friends and friends-of-friends. But it will only show that stream if a user has more than eight friends using the app, to avoid identifying them. Caudill and Seely worked around this by downloading Secret on a spare iPod Touch, and creating dozens of fake “friends” with accounts, along with one real friend who was on Secret.

Since the fake friends were dummy accounts, the only account that posted was the real friend - hence the reveal. (Note, this means proactively inputting a user and reading their Secrets, rather than finding interesting Secrets and trying to trace that back to a name.)

The hackers didn’t even have to buy several iPod Touches to track multiple real friends at once. They only had to create around 30 "attacker" accounts (one attacker per victim) on the app on one device, then attach around 100 fake-friend accounts (plus one real friend) to each one, logging in and out of different accounts to look for any salacious new posts.

Making fake accounts is incredibly time consuming, so the duo wrote a script that automated the process for them. Instead of having to download the app multiple times to create multiple fake accounts, the script exploited a loophole in Secret’s back-end allowing them to spoof the action of creating an account through its application programing interface (API).

“We captured the HTTP packet outbound, replacing the associated user names, knowing we had a valid response from the server, “ says Caudill. In other words, spoofing the original act of creating an account. They also avoided having to punch in SMS verification codes for each fake account by submitting each one with a fake email address and a Google Voice number. When both contact details were included, the app for some reason didn’t ask to send a verification code by SMS.

If Caudill and Seely were more maliciously minded, they might have kept their script to themselves for blackmail, or even put the exploit up for sale. Caudill claims such an exploit could have commanded "six figures" on the black market.

Instead, Seely tweeted Secret’s co-founder Chrys Bader on Thursday Aug. 14 saying he’d found a bug. It led to an iMessage conversation between Seely and other co-founder Byttow later that day. Byttow immediately asked if the hackers could submit the vulnerability through Secret’s bug bounty program, which had closed 42 other bugs to date.

The following day Seely texted Byttow the screenshot of his “Lucy” post adding, "She just might be pretty cute."

“Did you receive this in your feed?” Byttow asked.

“My partner and I pegged this to you,” said Seely.

“When are you submitting the vulnerability?” Byttow replied. Seely assured him that he and Caudill were almost done putting together their documentation and would submit it for fixing.

“We understand the system,” Byttow answered. “We don’t need too much documentation.”

“I’ll send what I have shortly,” said Seely.

“Starting to feel like a shakedown,” Byttow said, sounding nervous. Seely assured him that it wasn't, and they were more than happy to cooperate.

The prospect of a hack on a popular anonymous social app could be anathema to its users. The whole idea of Secret’s success hinges on people trusting the service enough to share their deepest, most controversial truths, which is what in turn makes the app so compelling to read.

Once Byttow saw how the hackers had exploited the vulnerability, one of his main questions was how they had reverse engineered Secret’s API. “I may be CEO, but I’m also the engineering lead and wrote most of the backend,” he said. “We understand this attack. Its’ a really tough problem.”

Byttow had seen YouTube videos like this one purporting to show how to hack Secret with automated bots. As Byttow’s team patched the flaw, the startup founder revealed this was not the first time he'd dealt with a potential threat to uncovering the names behind Secret confessions.

Steely stumbled upon the Secret post above and showed it to Byttow, who replied that his team saw such things regularly. “It’s like negotiating with terrorists if we engage,” he said.

While Secret can continue patching in an arms race against hackers, hackers will almost certainly look for ways around the fixes. Secret can now do a better job of detecting passive, fake accounts like the ones Caudill and Seely made, but what’s to stop a hacker from taking such methods a step further, creating automated bots that publish fake posts to circumvent Secret's latest restrictions? (Bots are already a modern staple of mobile messaging services like Kik, Tinder and Snapchat.) I sent this hypothetical question to Secret's founders but did not hear back.

“As the idea of anonymous social networks grow, so do the security implications,” says Caudill.

It's hard to argue with that. Secret’s security teams will have to keep on their toes, because that battle probably isn’t over.