Hackers recently showed that Secret, the anonymous social networking app that encourages users to "speak freely," may not be so secretive after all.
Speaking with Wired, Ben Caudill, co-founder of Seattle's Rhino Security Labs, showed how he could find any users' "secret" posts with just their email address or phone number.
According to Business Insider, Secret has since fixed the issue. "As near as we can tell, this hasn't been exploited in any meaningful way," Secret CEO David Byttow told Wired. "But we have to take action to determine that."
Caudill found the hack with colleague Bryan Seely, and the duo hopes to capitalize on Secret's HackerOne bug bounty program for exposing the flaw. To do this, they created a bot to set up Secret accounts with various fake email addresses and then added one real email address to determine that user's Secret posts. Feasibly, someone without the hacker savvy, but with enough time and determination, could have performed the trick on their own.
Caudill pointed out that the bug works one way, meaning he was able to determine a user's secrets from his or her email address, but couldn't determine a user from a posted secret.
This is hardly the first such flaw exposed by hackers. In fact, since Secret instituted the HackerOne program, it has exposed and corrected 42 security flaws.
"As hackers disclose these kinds of vulnerabilities through our HackerOne bounty, we just make more and more advancements," said Byttow. "We've had zero public incidents with respect to security and privacy. Everything has come through our bounty program."
But these hacks raise the question of just what is and isn't safe to share on the platform, and whether it's possible for Secret to be both a social network and a place to air dirty laundry. Caudill, for one, is skeptical. "You can't both try to connect with all your friends and be really social and network with everything, and [at the] same time try to do all that anonymously," he told Wired. "I can't see a situation where you can have your cake and eat it too."
Byttow, for his part, was quick to acknowledge the limits of the platform. "The thing we try to help people acknowledge is that anonymous doesn't mean untraceable," he said. "We do not say that you will be completely safe at all times and be completely anonymous."
He does, however, think Secret offers a valuable service, providing users an alternative to highly visible platforms like Twitter and Facebook. "It's our job to make sure people feel safe and in control," he told Wired. "People can't do that on Facebook. That's our mission, so people can put this stuff out there and not feel alone. That's so important."