[liberationtech] Revealed: how Whisper app tracks 'anonymous' users
Rich Kulawiec
rsk at gsp.org
Sun May 3 05:47:44 PDT 2015
On Thu, Oct 16, 2014 at 04:54:35PM +0100, Yishay Mor wrote:
> Revealed: how Whisper app tracks 'anonymous' users
>
> http://gu.com/p/42bqn
It's apparently much, MUCH worse than that:
"a confederacy of 'privacy' dunces": what we found under the hood of an 'anonymous' chat app used by millions
http://www.xipiter.com/musings/a-confederacy-of-privacy-dunces-what-we-found-under-the-hood-of-an-anonymous-chat-app-used-by-millions
That's a fairly lengthy article, so here's a brief excerpt:
We found many critical issues which we will catalog below in
the "Technical Details" section, but the short of it is that we
found that we could:
- hijack a users' account
- post (publicly or privately) as a hijacked user
- view all of a user's current and past private messages
In the course of this work we also discovered some other things
that highlight the broader privacy issues especially as they
relate to mobile apps and "anonymity" promising services.
But before we go any further. We'll share a video that
demonstrates us taking over an account and retrieving past and
current messages for a hijacked user account (without the user
knowing). As of this posting, this vulnerability is yet unfixed.
---rsk
More information about the liberationtech
mailing list