Secret isn't keeping secrets truly secret, it seems

A secret-sharing app called Secret, which allows users to post anonymous secrets and confessions, is apparently not so secret after all.

Hackers have detected a total of 42 security holes in the app, even managing to find and reveal a media reporter's posts on the app, since a bounty program started in February.

"To be clear, there still remains no way to verifiably associate a post with a phone number, email address or Facebook ID in Secret," states Secret, noting the hack uncovered required deduction in that the hacker asked the poster if the post was his, and "there was no ID or phone number discovered, and has been addressed," said a spokesperson for Secret.

The way Secret works is that it essentially pulls information from a user's contact list so people can only see the secrets of friends or friends of friends. If a user were to delete his or her contact list, make a number of fake Secret accounts using fake emails, then add one real friend with a real email address to your contacts list, they would be able to see only their friends' secrets.

The hacker who discovered the latest flaw, Ben Caudill, considers himself to be a "white hat" hacker, which is a hacker who aims to be ethical. Because of this, he has revealed the flaw to Secret, and the team has since fixed it. Now, instead of labeling a secret from a "friend" or "friend of a friend," it will simply be labeled as someone "from your circle."

Secret offers a reward to hackers who are able to detect flaws in the app. The hackers that have detected the security flaws in the app have all done so through Secret's HackerOne bounty program; there have not been any real incidents with the app.

"As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements," said David Byttow, CEO of Secret. "We've had zero public incidents with respect to security and privacy. Everything has come through our bounty program."

"We greatly value the posts on our bug bounty program, which by design help to fix bugs before they become problems for the community...Many reports are hackers making sure that we're doing all of the right things, which is the way we want it," Byttow continued.

Secret is expected to roll out an update soon that includes security fixes as well as allowing users to use images from Flickr.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics