Secret is supposed to be an app repository for all of the things you just have to say out loud but don’t want attached to your name. That’s how it’s supposed to work, but one little known secret is that Secret isn’t all that secret.
As the Washington Post noted last week, Secret’s chief executive recently noted that the company isn’t exactly promising that users’ posts will be totally anonymous.
“We do not say that you will be completely safe at all times and be completely anonymous,” David Byttow told Wired last week.
Well, that’s reassuring. Just what is it that could make your Secret secrets more well-known? As with seemingly everything nowadays, it’s hackers.
Specifically, two “white-hat hackers” – those that consider themselves “ethical” and don’t steal passwords and data and other secrets for the lulz – said that they could figure out the identities of Secret posters by using their personal email addresses.
The problem stems from the fact that you sign up for a Secret account using your Facebook login information, email address, or phone number. That’s how Secret connects you to your friends, allowing you to see “anonymized” postings that they’ve created.
The hackers found a workaround, wherein they deleted their real contacts, created dummy Secret accounts, and added their friends’ real email addresses to their contact lists.
“We were able to manipulate the process of adding friends to the app,” they told Wired, “causing the application to believe we have a large group of friends and that any one friend’s secret would be anonymous.”
The long and short of it was that the hackers were able to reveal who was posting what secrets and when. Of course, the secrets that are posted on the app tend to be pretty benign, but it does go to show that, if someone really wants to, they can find out what you’re saying, even when you think nobody can watch you.
The hackers say that Secret is actually one of the more secure “anonymous” apps.
“Secret actually has pretty good security in many areas,” one hacker said, “but the deck is stacked against companies today. It’s hard for them to cover all possible vulnerabilities without a lot of specialized help.”
Looks like you’ll have to be careful what app you post your cream cheese confessions to. And here you were thinking that your iPhone would be able to replace the confessional booth. Or you could just go old school and keep a journal. Imagine that.