Messaging app Yik Yak is a big hit with US college students and venture capital investors alike, having grown rapidly on campuses since its launch in late 2013, culminating in a recent $61m funding round.
One of the app’s key features is anonymity: people can post messages without divulging their identity. At least, that’s the theory.
In practice, until recently Yik Yak had a vulnerability that could have given hackers “the ability to deanonymize a user and take total control of their account”. That’s according to online security firm SilverSky, which discovered the privacy loophole.
“An attacker is able to view all of the target’s previous posts, make new posts, and literally log in to the app using the target’s credentials,” explained researcher Sanford Moskowitz in a blog post, published after Yik Yak had been alerted to the vulnerability, and patched it.
“This attack can be easily conducted by anyone on the same network as the target; which is a very common situation for Yik Yak’s main demographic: college students. As an example of an attack, hacktivists could exploit this vulnerability to identify bullies on their school’s WiFi network.”
SilverSky’s research is the latest warning to smartphone owners that apps promising anonymity may not always deliver on that promise, for one reason or another.
In August, researchers from Rhino Security Labs revealed an exploit to identify posts from individual users of anonymous social app Secret, while its rival Whisper was the subject of a Guardian investigation in October that included the claim that the company was monitoring the location of some users.
Launching a slick app that doesn’t ask people for their real names is one thing, but protecting those people from the skills of malicious hackers – or thankfully in Yik Yak’s case, benign security researchers – quite another.
Both groups will be training their sights on any new messaging app that becomes popular. Yik Yak will surely be setting aside a chunk of that $61m funding round for some information security specialists.
This article was written by Stuart Dredge, for theguardian.com on Tuesday 9th December 2014 08.40 Europe/Londonguardian.co.uk © Guardian News and Media Limited 2010