[guardian-dev] Your Anonymous Posts to Secret Aren’t Anonymous After All
josh at vitriolix.com
Fri Aug 22 14:32:42 EDT 2014
I'm noticing a pattern with these "private" apps:
What a terrible design:
Secret relies on the anonymity of the crowd to camouflage its users’
identities. When you first install Secret, you can’t see any posts
from your social circle until you give the app access to your phone’s
contact list. Then the app checks all the e-mail addresses and phone
numbers on the list for current Secret users, and you start following
them. (You also can give it access to your Facebook profile for the
same purpose, though that route was not vulnerable to the hack).
You must be following at least seven friends on the system before you
can see your friends’ anonymous posts. Even then, you don’t know who
among your contacts are using Secret: If you have 500 people in your
contact list, and 30 of them are using Secret, you won’t know which 30
they are. A juicy secret posted by a “friend” could belong to any of
those 500 people.
The problem is, your address book is under your control. And that’s
what Caudill and Seely used to their advantage.
Caudill’s first step was to create a bunch of fake Secret accounts.
This is easy, because Secret doesn’t make you verify your e-mail
address or phone number. Caudill wrote a simple script to rapidly
create a pool of 50 accounts for his experiments, but he only needed
seven to meet Secret’s secret-sharing threshold.
Next, he deleted everything from his iPhone’s contact list, and added
the seven fake e-mail addresses as contacts. When he was done, he
added one more contact: the e-mail address of the person whose secrets
he wanted to unmask—me.
Then he signed up for another new Secret account and synced his
contacts. He now had a new, blank Secret feed that followed eight
accounts: seven bot accounts created and controlled by him, and mine.
Anything that appeared as posted by a “friend” logically belonged to
More information about the Guardian-dev