There's a truism that I like to share with as many people as possible: if you don't want other people to see something, then don't post it online. It is, you might think, a pretty simple concept to grasp. After all, you wouldn't stroll into a bar with a megaphone and yell "I'm not wearing underwear" if you wanted to keep that secret would you? But would you write that fact down on small pieces of paper and slip them unnoticed into the pockets of people in that bar if you wanted to reveal all (please excuse the unfortunate choice of phrase) without revealing your identity? In a nutshell, that's what apps such as Secret promise to do; but such a promise of anonymity is always going to be hard to deliver.

Secret is one of an increasingly popular application genre known as 'anonymous sharing' which lets you send 'secrets' to your circle of friends without them actually knowing it was you. At least, that's the idea. Seattle-based security outfit Rhino Security Labs quickly shot holes in it with a remarkably simple work around. Secret relies upon 'crowd anonymity' for want of a better description, you join up and let the app interrogate your contacts book and Facebook friends to find others using the app to build your secret social circle. To see any of their posts, you need to have seven or more friends but you won't know which of your friends these are because the app doesn't tell you. Or at least that's how it is meant to work. I've always thought it was flawed anyway, as I would know that it was one of my contacts who posted it; so while I may not know exactly who, the secret is not exactly totally anonymous either. Quite often it would be easy enough to work out, if you know the people in your social circle well enough. But that's besides the point, what Rhino did was use a whole bunch of fake accounts to reveal the truth.

At the time of the research, although Secret may well change that now the details of this hack have been responsibly disclosed to them via their own bug hunting bounty scheme, there was no email or telephone verification block on creating accounts. So creating as many as you wanted was no problem at all. Rhino used a script to create 50 accounts in rapid succession, and added seven of them (numbers and emails) to a blank contacts list on his phone. The only other contact to be added to that address book would be the mark, and all that was needed was the email address. By signing up for a new Secret account and syncing that contact list, Rhino could follow a total of eight accounts but seven of them were controlled by them. Any 'secret' posted by a friend could, in fact, only be authored by the mark.

Now I'm the first to admit that real-world scenarios of how this would impact upon anyone, or could be used to any real effect, are about as hard to conjure up as an image of an honest politician. More concerning is that people use these kind of applications with an assumption of anonymity which, frankly, is always going to be flawed. Indeed, when WIRED magazine asked Secret CEO David Byttow about the bounty scheme which had been running for six months, he confirmed that the company had closed 42 security holes identified by some 38 researchers. That kind of re-asserts my original statement that if you really want to keep something secret then don't tell anyone about it, and certainly don't post it on the Internet or around some smartphone sharing app.

If you want more proof of this, anyone recall the fuss surrounding Snapchat the anonymous image sharing app earlier this year? As reported on DaniWeb in January, hackers managed to access the database of Snapchat users names and email addresses. If that weren't serious enough, claims that all photos (often flirtatious or sexual in nature) self-destruct from the server after 10 seconds were over-played. Sure, the original may well be unavailable after that initial flash (pun intended) but it's easy enough for a recipient to take a screenshot and then have a copy forever.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2 Years
Discussion Span
Last Post by erikko

Dont post unwanted spammy treats , Its not like a user friendly . Its like article , so i dont have time to study such this article, so post simply


What? It is an article... The clue is in the fact it says News Stories in the directory structure.

How is it spammy, by the way? I'm really looking forward to your explanation.

Do bear in mind that I'm one of the admins here who helped write the rules...

Edited by happygeek


Great post Geek; now lots are aware of the security flaws in snapchat which relies on things caching on your device's storage. The one hope are new items such as crypto-phone and Mark Cuban's cyber dust may actually provide users a bit more safety to their privacy (due to relying on encrypting information in the system memory versus system storage); but like anything it is not 100% fool proof.

In the last little bit we have seen a change in the technology industry; where we have went from code first to design first. I think in the future we may see the user experience (including security protocols) get designed prior to the user interfaces prior to the actual development.

As a Company who designs, develops and markets digital products and services we are well aware of the old adage that what can be built can also be taken apart. That being what it may you try to limit the amount of personal data available if a breach ever does occur. Fortunately the general population is finally starting to smarten up to internet/computer security, partially impart thanks to individuals such as Edward Snowden and the massive media campaign on the heartbleed bug. However when we see the end of people willfully putting personal information online/doing a good job of covering their tracks while online (through https)/the end of 1234 passwords; then maybe we will see a drop in security breaches. But end of the day a program is only as strong as its weakest user.


I agree, whenever you check your emails, update your status and even just login you are being watched. Much worse the information that they gather about you is indispensable.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.