“The thing we try to help people acknowledge is that anonymous doesn’t mean untraceable,” David Byttow, chief executive and co-founder of the Secret, told Wired in an interview this week. “We do not say that you will be completely safe at all times and be completely anonymous.”
As previously explained by Mariana Marcaletti in this post, here is how Secret works: Set up your account with your phone number, e-mail address or Facebook account, and Secret will connect you to your friends already using Secret. You will be able to see and comment on secrets posted by your friends, and friends of friends, thanks to Secret's algorithm that tracks your contacts; you can also share your secrets -- "all anonymously," promised by Secret.
But "white-hat hackers" (those who consider themselves ethical hackers) Benjamin Caudill and Bryan Seely were able to identify the names of people behind the supposedly anonymous posts on Secret by using personal e-mail addresses. They were also able to see what Byttow posted on Secret: "Is Lucy the cutest dog?"
The idea behind the hack was simple, despite the arduous process.
On a Secret feed, you can only see posts from your friends, or from friends of friends because Secret gets information from your contact lists. But what if you delete your real contacts, create some dummy Secret accounts (the app doesn't require you to verify your e-mail address or phone number), and add someone's real e-mail address to that list?
"We were able to manipulate the process of adding friends to the app and replace real ‘friends’ with dummy accounts we created, causing the application to believe we have a large group of friends and that any one friends’ secret would be anonymous," Caudill said in an e-mail. "In actuality, only one real person was added – the victim – so any secrets from friends would be identified as theirs."
Secret only needs you to have seven contacts to see your friends' posts. Caudill created a pool of 50 accounts for his experiments. Although the result was a little surprising to Caudill, he said these sorts of flaws are common for mobile applications, especially for startups.
"Between the high-level design and implementation of code, attackers have a lot of possible attack vectors, and developers need to cover them all," Caudill said. "Secret actually has pretty good security in many areas, but the deck is stacked against companies today. It's hard for them to cover all possible vulnerabilities without a lot of specialized help."
It's a routine process for companies like Secret to make advancements as hackers disclose such vulnerabilities through a bug count that the company instituted six months ago. The Secret team has closed 42 security holes identified by more than 30 white-hat hackers.
Secret is just one of the many popular anonymity and privacy apps for mobiles devices that allow people to communicate in a safer, more secure environment, Caudill said. But for many of these companies, the technical controls don’t match the marketing. For example, Snapchat, the popular photo sharing app, settled with the FTC and accepted 20 years of monitoring by FTC regulators over charges that it deceived users. What the company promised users -- that photos shared with friends will disappear once they are seen -- isn't always true.
Secret did not immediately respond to a request for comment.
There are dozens of similar apps out there that allow users to share their words while remaining anonymous. While it's a great concept, Caudill said, he is not convinced that there is a business melding social media and the desire for anonymity.
"Social media requires connections and the encouragement for users to interact with people they personally know," Caudill said. "Adding anonymity into the mix requires some compromising on one side or the other."
What people are posting on Secret, and on similar apps, are more often embarrassments rather than serious confessions, but there are still legitimate secrets that many people would not want getting out.
"Keep in mind what could go wrong if there was no anonymity and your communication was open," Caudill advise users.