Users are flocking to anonymous apps this year, seemingly enticed by the concept of posting something without having to own up to it. If a post can’t be tracked back to a user, they can say anything they want, for better or worse. According to white hat hacker Ben Caudill, who found a way to discover the identity of Secret users, the general outcome may be for worse.
Caudill, co-founder of Rhino Security Labs, managed to turn Secret’s method of anonymizing data against itself. First, he cleared the contacts from a phone, and added seven contacts that had blank profiles on Secret. By adding an eighth contact — you only need a phone number or email address — Secret’s threshold would trigger and Caudill would start seeing “anonymous” secrets from his contacts.
Obviously, when you only have one real contact, it’s pretty easy to figure out who the secrets belong to. Vulnerabilities like this are the main sticking point when it comes to anonymous apps. How is it possible to tie anonymity to a tangible piece of information like a phone number or email address? The answer: It’s just the illusion of privacy.
“You can’t both try to connect with all your friends and be really social and network with everything, and that same time try to do all that anonymously,” Caudill told Wired. Secret CEO David Byttow responded, “We do not say that you will be completely safe at all times and be completely anonymous.”
Based on Byttow’s admission, Secret is merely anonymous enough to cloak what your friends are saying. Is that enough given the nature of what people post to anonymous apps?
The difference between Secret and, say, Snapchat, is that Secret is actively trying to weed out security flaws. Their HackerOne program offers a bounty to hackers that can identify problems and bring them to Secret before the bugs have a chance to do any damage. This was precisely Caudill’s intent when detailing the exploit, which has since been closed.
Anonymous apps don’t provide perfect privacy or perfect anonymity. Maybe most users don’t have a problem with being camouflaged instead of invisible. Given how much user data is subject to mining, targeted advertising and exploitation, perhaps the only way to keep your data and secrets out of the hands of others is to simply keep quiet online.