Secret is a popular mobile app that allows people to share secrets online. As an anonymous social network, it gives people a safe, online place to unburden a guilty conscience or vent without fear of reprisal. You can think of it as the combination of a digital confessional booth and a personal WikiLeaks all wrapped up into one. In a world where anonymity is all but impossible (and privacy is flimsy), people have flocked to Secret.ly in droves.
As one of the co-founders puts it, Secret.ly is a place where people say what they really think and express how the really feel. The community is one of acceptance, of finding commonalities based on common frustrations and shared sorrows – the things we all feel but can’t talk to anyone about. Given how difficult it is to speak freely online, the popularity of the app is easy to understand. It’s a reaction to enforced transparency of social media sites like Facebook and LinkedIn, where everything we say is permanently attached to our name. By contrast, people use Secret.ly to share everything from daily grievances to Google salary information and Silicon Valley leaks to secrets on Secret.ly itself!
Secret.ly - Speak Freely.
Naturally, this is exactly the kind of application that needs to spend some time under the magnifying glass. A service encouraging people to share their most private thoughts under the aegis of anonymity needs to ensure this anonymity is maintained. After a little digging, we at Rhino Security Labs found a way to circumvent Secret.ly’s layers of anonymization and expose the secrets of a user of our choice – searchable by phone number or email. The exploit, in other words, lets you see what other – supposedly anonymous – users have posted.
Our exploit begins with a key feature of Secret that adds some intrigue to the already-thrilling process – social networking. Upon signup, Secret pulls your list of contacts (from Facebook or your phone) and automatically adds all these users as potential friends. If there’s an email or phone number match, they’re added to your ‘friends’ list. To prevent you from just adding one person at a time, Secret.ly refuses to show you any secrets of friends unless you’ve got at least ten of them, meaning you can only guess and speculate at whose closeted skeleton is whose.
Seems pretty secure? What follows is a breakdown of how we broke Secret.ly.
They are now, though.
The basis of the exploit is this: if we can create a new secretly account (let’s call this account BadGuy), create a bunch of dummy friends (BadGuysFriends 1 through 10), and then add one single genuine person (the victim), we can see what secrets the victim has posted.
Now, obviously this would work (albeit slowly) if you wanted to spy on just one or two people, but it isn’t practical for more large-scale operations. Luckily (or unluckily), Secret.ly offers an API with some vulnerabilities of its own that allowed us to automate the process of creating fake accounts rapidly.
In order to carry out this exploit we first create the BadGuy account. This is pretty easy, as Secret.ly doesn’t require verification of a phone number or email – obviously this makes the process a whole lot easier to carry out en masse. Using a standard HTTP proxy (Burpsuite) to snag the outgoing ‘user account creation’ packet, we set up a basic script to reply the packet several times – once for each of the BadGuysFriends accounts – simply iterating the usernames for each. Remember that there was no verification of phone numbers and emails when using the API, so fake emails and phone numbers are not a problem!
So, after running our little script once, we’ve got BadGuy and his ten friends, all verified Secret.ly users. While there’s no ‘official’ upload feature for new users, the phones contact list is uploaded upon a new account creation (as mentioned above). With BadGuysFriends 1-10, as well as a victim, in our address book, we can finish the registration process for Badguy himself – uploading the contacts to the server. Our ‘friends’ feed quickly populates with secrets from friends and FoF (friends and friends) – since our fake accounts have no secrets of their own, all those secrets from ‘friends’ are really only from our victim user. We can now see our every single one of our victim’s secrets, all without their knowing that an attack ever took place.
Sharing secrets, safely.
The Secret.ly Lesson
This time, the story has a happy ending. We strongly believe in responsible disclosure – making sure that the problem is fixed before anyone else is informed. We contacted Secret.ly right away, and we worked together with them to resolve the vulnerability immediately. Only once everything had been secured did we break the story at Wired.
You might ask – why release a story at all?
The answer is that there’s a lesson here, for anyone who runs an online business or is responsible for protecting important information. We genuinely care about the state of online security. What if we hadn’t gone looking? What if the exploit had been found by a cyber-criminal or foreign intelligence agency? It’s almost impossible to overstate just how important it is that organizations of all kinds and sizes take cybersecurity serious, and it’s frightening to see just how few of them actually do. Time and time again, we’ve had to explain to people that good, effective cyber-security is just as much a mindset as it is a technical challenge. Exploits and hacks of all kinds are, on a fundamental level, design problems. This is why penetration testing and assessments carried out by experienced hackers are still the holy grail of cyber-security. There is simply no substitute for someone else picking over your application. No matter how careful you are, no matter how hard you work to keep everything secure, it’s always possible you missed something. Better to have a pro find that vulnerability, rather than a bad guy, right?
Epilogue: What’s next?
This chapter is finished, but the work is never done. At Rhino Security Labs, we’re constantly conducting research on cybersecurity issues and helping organizations protect themselves. With the recent surge of anonymity apps on mobile platforms, privacy is a growing concern- and we like to do our part to secure it. We’re already looking into the security of similar privacy apps (such as Mark Cuban’s disappearing chat messenger, Cyber Dust) and look forward to improving privacy and security online.
Stay tuned, and stay safe!