I'm noticing a pattern with these "private" apps: http://www.wired.com/2014/08/secret/
What a terrible design: Secret relies on the anonymity of the crowd to camouflage its users’ identities. When you first install Secret, you can’t see any posts from your social circle until you give the app access to your phone’s contact list. Then the app checks all the e-mail addresses and phone numbers on the list for current Secret users, and you start following them. (You also can give it access to your Facebook profile for the same purpose, though that route was not vulnerable to the hack). You must be following at least seven friends on the system before you can see your friends’ anonymous posts. Even then, you don’t know who among your contacts are using Secret: If you have 500 people in your contact list, and 30 of them are using Secret, you won’t know which 30 they are. A juicy secret posted by a “friend” could belong to any of those 500 people. The problem is, your address book is under your control. And that’s what Caudill and Seely used to their advantage. Caudill’s first step was to create a bunch of fake Secret accounts. This is easy, because Secret doesn’t make you verify your e-mail address or phone number. Caudill wrote a simple script to rapidly create a pool of 50 accounts for his experiments, but he only needed seven to meet Secret’s secret-sharing threshold. Next, he deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask—me. Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me. _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
