SAN FRANCISCO – Anonymity app Secret and an independent security consultant are coming clean about a hack that could have destroyed the entire point of the popular secret-sharing app.
Bryan Seely, who made headlines earlier this year with a Google Maps hack that let him listen in on FBI and Secret Service phone calls, figured out how to identify the person behind specific posts to Secret. The app has become popular because it lets you share secrets to your friends without revealing who you are. Seely built his hack around a small nugget of identifiable information that Secret makes public: your connection to the poster.
Secret identifies three levels of connection to a person: friend, friend of friend, and stranger. Seely was able to take advantage of that and created a way to determine the person behind a Secret post.
“We showed David [Byttow, Secret’s co-founder and CEO] a photo [that he took] that we pulled from Secret. He asked us if we were submitting a bug report,” said Seely, chief technology officer for Rhino Security, a small analysis and research startup that nevertheless counts big-name investor Mark Cuban’s Cyber Dust firm as a client.
“He [Byttow] was worried that it was a shake-down,” Seely said.
The vulnerability that allowed the hack has now been fixed, Secret says.
To read the rest of the column, Click on CNET.Com
