White hat hacker Ben Caudill is halfway through his sandwich when he casually reaches over to his iPhone, swipes the screen a few times, then holds it up to me. “Is that you?” he asks.
It is, but nobody was supposed to know. He's showing me one of my posts to Secret, the popular anonymous sharing app that lets you confess your darkest secrets to your friends without anyone knowing it’s you. A few minutes ago I gave Caudill my personal e-mail address, and that was all he needed to discover my secret in the middle of a Palo Alto diner, while eating a BLT.
My secret is pretty lame, but Secret’s stream is slurry of flippant posts, Silicon Valley gossip, and genuinely personally confessions like, “He proposed—I had to say no. And it broke my heart to do the right thing.” At this moment, Caudill could type in any Secret user’s e-mail address or phone number and decloak that person’s secrets.
Fortunately for Secret users, Caudill is one of the good guys. He’s the co-founder of the small Seattle security shop Rhino Security Labs. By the time of our Friday lunch, his CTO and co-inventor of the hack, notorious Google Maps manipulator Bryan Seely, already had given Secret’s CEO the outlines of their technique. The hackers hope to qualify for a reward under Secret’s six-month old bug bounty program. Both men say they’ve resisted the urge to pry into anyone’s secrets.
In an interview with WIRED this week, Secret CEO David Byttow confirmed the vulnerability, and said the company has blocked the attack and begun a post-mortem. “As near as we can tell this hasn’t been exploited in any meaningful way,” says Byttow. “But we have to take action to determine that.”
What’s surprising, though, is that this is routine for the company. Since Secret instituted a bug bounty in February, the company has closed 42 security holes identified by 38 white hat hackers. Given the sensitivity of what some people post to Secret, this iterative approach might seem disconcerting. But Byttow says the deluge of bugs proves the system works.
“As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements,” says Byttow. “We’ve had zero public incidents with respect to security and privacy. Everything has come through our bounty program.”
Caudill and Seely give Secret high marks for responding quickly and amiably to their find. But it’s hard not to see the incident as another warning about every app that tries to weld privacy and anonymity features onto a social networking chassis. They’re apps like Whisper, Yik Yak and the ephemeral photo sharing app Snapchat, which lets you share photos with friends that will vanish as soon as they’re seen. In May, Snapchat settled with the FTC over charges that it exaggerated the security of its disappearing photos. It turns out (as you'd expect) the recipient could save any snap by taking a screenshot or using a third-party client. Snapchat agreed to be more honest about the limits of its service, and to accept 20 years of monitoring by FTC regulators.
Like the Snapchat issues, the Secret hack is obvious once you know the trick.
Secret relies on the anonymity of the crowd to camouflage its users’ identities. When you first install Secret, you can’t see any posts from your social circle until you give the app access to your phone’s contact list. Then the app checks all the e-mail addresses and phone numbers on the list for current Secret users, and you start following them. (You also can give it access to your Facebook profile for the same purpose, though that route was not vulnerable to the hack).
You must be following at least seven friends on the system before you can see your friends’ anonymous posts. Even then, you don’t know who among your contacts are using Secret: If you have 500 people in your contact list, and 30 of them are using Secret, you won’t know which 30 they are. A juicy secret posted by a “friend” could belong to any of those 500 people.
The problem is, your address book is under your control. And that’s what Caudill and Seely used to their advantage.
Caudill’s first step was to create a bunch of fake Secret accounts. This is easy, because Secret doesn’t make you verify your e-mail address or phone number. Caudill wrote a simple script to rapidly create a pool of 50 accounts for his experiments, but he only needed seven to meet Secret’s secret-sharing threshold.
Next, he deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask---me.
Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.
After demonstrating on my own secret, Caudill moved on to his next victim: Secret CEO Byttow, who gave the hackers his e-mail address and phone number, then challenged them to access his own Secret post as a proof-of-concept. I watched Caudill go through the steps on his iPhone, and soon Byttow’s secret appeared. It appeared to be about a pet: “Is Lucy the cutest dog?”
The attack is purely one way: You can get someone’s secrets if you know their e-mail address, but you can’t start with a secret and unmask the user behind it.
And Byttow says the flavor of the hack demonstrated by Caudill and Seely isn’t new to Secret. In May, Russian hackers performed a similar stunt using cell phones and a pocketful of SIM cards to create the dummy accounts. Since then, Secret has built and continuously refined algorithms to detect bots and other suspicious activity. When an anomaly pops up, the system begins hiding posts, or gets deliberately vague about the source: a “friend” becomes a “friend of a friend,” or simply someone “in your circle”.
But at some point in the last few weeks, as the company expanded its infrastructure, the bot detection system somehow failed, allowing Caudill and Seely to rediscover the hack, Byttow says.
It all gives the impression of a system in a start up mode of experimentation, learning from its mistakes, daring to try new things, screwing up. “The thing we try to help people acknowledge is that anonymous doesn’t mean untraceable,” says Byttow. “Secret is not a place for unlawful activity, or to make bomb threats or share explicit imagery. … We do not say that you will be completely safe at all times and be completely anonymous.”
The question, then, isn’t whether Secret is secure. It demonstrably isn’t. It’s whether it’s secure enough for what it’s being used for. I pick out one of the posts promoted to Secret’s homepage, and read it to Byttow over the phone: “At work I’m being given more and more responsibility. Silently I’m struggling with mental illness.” Does Secret provide enough anonymity for that user?
He turns the question back on me. If there was no Secret, or an app like it, where would this anonymous poster go for catharsis? Where would he share his struggle with mental illness? Facebook? Don’t make him laugh.
“It’s our job to make sure people feel safe and in control,” he says. “People can’t do that on Facebook. That’s our mission, so people can put this stuff out there and not feel alone. That’s so important.”
Caudill, the hacker, is skeptical that the twin goals of sharing and anonymity can ever be resolved.
“I kind of see where they’re going with it. They’re trying to be kind of the everyman’s WikiLeaks. But at the same time it doesn’t really work that way,” says Caudill. “You can’t both try to connect with all your friends and be really social and network with everything, and that same time try to do all that anonymously. I can’t see a situation where you can have your cake and eat it too.”
