Your anonymous publications in Secret are not anonymous.

“White hacker” Ben Caudill already half-finished his sandwich when, casually, he reached for his iPhone, ran his finger several times on the screen, and then handed it to me with the words “Did you write that?”

Yes, I wrote this, but no one should have known about it. He showed me one of my posts in Secret, a popular application that allows you to anonymously share the most secret secrets with your friends, I repeat - no one will know that the secret belongs to you. A few minutes ago, I gave Caudill my email address and that was all it took him to discover my secret, eating a sandwich at the height of a leisurely lunch in Palo Alto.
')
Frankly speaking, my secret was rather boring, but the general flow into Secret consists of rather sharp and frivolous messages - rumors from Silicon Valley or deeply personal confessions like: “He made me an offer, but I was forced to refuse. I thought it was a “life thing,” but now my heart is broken. ” At that moment, Caudill could enter the email address or telephone number of any Secret user and read his secrets.

The author's secret: deep down I really like only one Tim Burton movie

Secret users are lucky that Caudill is one of the "good guys." He is co-founder of Rhino Security Labs , a small information security firm in Seattle. The co-founder of the company and the head of its technical department, as well as the co-author of hacking, who was previously known for his manipulations with Google Maps, Bryan Seely, by the time of our lunch with Ben, had already managed to transfer information about their hacking to the CEO of Secret. Hackers hope to receive a reward in accordance with the Secret program for catching bugs, which has been in place for six months. Both hackers say they have kept their desire to get into other people's secrets.

Earlier this week [the original article was published on 08/22/14, - approx. translator ] in an interview with WIRED, David Bittw, CEO of Secret, confirmed the existence of such a vulnerability and added that employees had already eliminated it and started analyzing the reasons for its occurrence. “As far as we can judge, no one took advantage of the vulnerability in any meaningful way,” says Bitt. "But we must take action and accurately determine its causes."

Surprisingly, for Secret it has become commonplace. Since the company launched the bug trapping program in February, thanks to the findings of 38 “white hackers”, 42 security problems have been fixed. Given the degree of confidentiality of certain secrets, such an iterative approach may seem inappropriate. However, Bittov assures that the identification of such a number of errors proves the effectiveness of the system.

“As hackers find these kinds of vulnerabilities in our HackerOne bounty program, we are moving further and further forward,” says Bitt. “We have not had a single public incident regarding security and privacy. All of the unprotected areas found were found thanks to our bug trapping program. ”

Co-founder of Rhino Security Lab, Benjamin Caudill

Caudill and Sealy highly appreciate the speed and benevolence of the Secret team’s reaction to their find. But it's hard not to take this case as a warning regarding other applications that are trying to speculate on the human desire to remain anonymous and keep privacy on social networks. There are many such applications, among them: Whisper, Yik Yak, this includes the Snapchat application, a service that allows you to send your friends photos that are automatically deleted a few seconds after they are viewed. In May, Snapchat reached an agreement with the US Federal Trade Commission (US Federal Trade Commission, FTC), which accused the creators of the application of exaggerating promises to the security of sending "disappearing" photos. As it turned out (which was quite expected), the recipient could save any photo using a third-party client program or by taking a screenshot. Snapchat owners have pledged to provide more honest information about the capabilities of their service and agreed to another condition: for the next 20 years, experts from the FTC will supervise the application.

The trick with the Snapchat application is pretty simple, and in Secret - the way of hacking becomes immediately clear and obvious as soon as you figure out what the point is.

To hide the identity of its users, Secret uses the anonymity that arises, thanks to the crowd. When you install Secret for the first time, you cannot see any post from your social environment until you give the application access to your phone’s contact list. Then the application correlates email addresses and phone numbers of people from the list with the data of current Secret users, only after that you will be able to follow their updates. (For the same purpose, you can give the application access to your Facebook profile, although this path is well protected from hacker attacks).

To see your friends' anonymous secrets, you must be signed up with at least seven users. Even in this case, you will not know for sure who of your contacts is using Secret: let's say you have 500 people on your contact list, 30 of them are users of the application, but it is unknown who exactly 500 people belong to these 30. The spicy secret published in Your “friend” application may belong to any one of 500 people.

The fact is that you yourself control your contact list. This is what Caudill and Seeley used for their purpose.

Co-founder of Rhino Security Lab Brian Sealy

The first thing Caudill did was create some fake accounts in the application. This is easy because it is not necessary to verify your email address or phone number to register with Secret. For his experiments, Caudill wrote a simple script for creating 50 accounts, but he only needed seven to overcome the threshold for viewing secrets.

Then he deleted all contacts from the list on his iPhone, and instead added seven fake addresses. Then he added another contact, the email address of the person whose secrets he wanted to see — me.

Then he started a new profile and synchronized his contacts. Now he has a new empty account, and the contact list includes only eight profiles: seven bots, which he controls, and mine. Thus, it is easy to guess that any secret that was allegedly published by one of his “friends” belongs to me.

After Caudill showed me my own secrets, published in the appendix, he moved on to the following victim: Secret Director General David Bittov. As proof of the effectiveness of the concept of the application, he gave hackers his phone number and email address so that they tried to gain access to the secret he published. I watched every stage that Caudill went through on my iPhone, and we soon revealed Mr. Bittov’s secret. It turned out that he was talking about a pet: “Isn't it true, Lucy is the cutest dog in the world?”

This method works only in one direction: if you know someone's email address, you will be able to learn the secrets of this person, but knowing the secret, you cannot determine its author.

Beattov reports that the hacking form found by Caudill and Sealy is not new to Secret. In May, hackers from Russia, using several mobile phones and a full pocket of SIM cards to create fake accounts, did the same trick. Since then, the Secret development team has created and constantly refined algorithms for identifying bots and other suspicious activity. When the system finds an anomaly, it begins to automatically hide messages or purposefully give vague information regarding the sources of secrets, for example: “friend” becomes “friend of friend” or just someone from “your surroundings”.

According to Mr. Bittow, over the past few weeks, while the company was expanding its infrastructure, there were moments when the bots detection system failed for some reason, which allowed Caudill and Sealy to hack the application in the same way.

Because of this, it seems that the company operates in a startup mode: experimenting, learning from its mistakes, boldly trying something new, failing. “The idea that we are trying to convey to users is that being anonymous does not mean being someone you can't track down,” explains Bitt. “Secret is not the place to carry out illegal activities, terrorist threats or the exchange of ambiguous images ... We do not promise you permanent security and one hundred percent anonymity.”

Thus, the question arises: is the application safe enough for the purposes for which it is used? This is clearly not the case. I choose one of the secrets on the main page of the service and read it over the phone to Mr. Bittov: “At work I am burdened with more and more responsibility. And I silently struggle with a mental disorder. ” Is the Secret application safe enough to keep this user anonymous?

He asks me another question. If there were no such applications as Secret, where would this person go to lead the soul? Where would he be able to share his struggle with mental disorder? On Facebook? Do not make me laugh.

“Our job is to make sure that people feel safe and have confidence in themselves,” Bitt continues. “People can't share this on Facebook. This is our mission: people can write different things here and not feel lonely. It is very important".

Hacker Caudill is skeptical about achieving such a dual goal. He doubts the possibility of communication while maintaining anonymity.

“I understand to some extent what this is all about. They try to be something like WikiLeaks, but for everyone. However, in reality, this does not quite work, ”adds Caudill. “You cannot communicate with your friends, be socially active and still remain anonymous. I can not imagine a situation in which a person, chasing after two hares, would catch both. ”