The Secret app that's not so secret after all

Hackers identify the names of people behind supposedly anonymous posts

PUBLISHED : Monday, 25 August, 2014, 4:00am
UPDATED : Monday, 25 August, 2014, 4:00am

Anyone who thought they had finally found a place to share secrets anonymously will need to think again.

The chief executive of Secret, the anonymous-sharing app that has attracted many nameless confessors, has confirmed the app's vulnerability and that anonymity is not guaranteed

"The thing we try to help people acknowledge is that anonymous doesn't mean untraceable," David Byttow, chief executive and co-founder of Secret, said. "We do not say that you will be completely safe at all times and be completely anonymous."

Secret works by a person setting up an account with a phone number, email address or Facebook account, and Secret then connects to friends who are using the app.

The user can see and comment on secrets posted by friends, and friends of friends, thanks to Secret's algorithm that tracks contacts. Users could also share secrets "all anonymously", Secret promised.

However, "white-hat hackers" (those who consider themselves ethical) Benjamin Caudill and Bryan Seely were able to identify the names of people behind the supposedly anonymous posts on Secret by using personal email addresses.

"We were able to manipulate the process of adding friends to the app and replace real 'friends' with dummy accounts we created, causing the application to believe we have a large group of friends and that any one friend's secret would be anonymous," Caudill said.

"In actuality, only one real person was added, the victim, so any secrets from friends would be identified as theirs."

Secret needs you to have only seven contacts to see your friends' posts. Caudill created a pool of 50 accounts for his experiments. Although the result was surprising to Caudill, he said these sorts of flaws were common for mobile applications, especially for start-ups.

It is routine for companies such as Secret to make advancements as hackers disclose vulnerabilities through a bug count that the company instituted six months ago. The Secret team has closed 42 security holes identified by white-hat hackers. For many start-up companies, the technical controls don't match the marketing and the user may not necessarily be getting what has been claimed, sometimes to their great embarrassment.