Folks divulge their dirty laundry on popular mobile app Secret in confidence. With a name like Secret, people put trust in the platform, and use it as a form of digital therapy—a place where they can share stuff they wouldn’t normally reveal. But it turns out posts on the service aren’t so secret after all. Ironic, no?
The good news is that the hack, which allowed researchers to identify users behind Secret posts, has been taken care of by the app’s developers. The bad news is that something like this existed in the first place. So while Secret is seemingly safe once again to post anonymous dirt, there’s always that lingering possibility that someone out there can figure out who is doing what.
The “hack” was actually incredibly simple, and used a boneheaded loophole to figure out who was posting what. Secret is designed in a way that shows a stream of friends, and friends of friends; right now in order for stuff to start appearing you need to have multiple friends using the app, but once the necessary requirements are met, you’ll start getting secrets filling your feed.
Benjamin Caudill and Bryan Seely were able to figure out a way to get around this by creating a bunch of fake bot accounts. Once these accounts were created, they would connect with a friend and keep an eye on the stream. These bots wouldn’t post anything, which means that when friends posted what they thought were secrets, Caudill and Seely would know exactly who posted it.
Of course, had there been more actual humans behind these accounts, Caudill and Seely’s (sounds like a cop drama TV show) trick wouldn’t have worked. But it’s still surprising how easy the little clever exploit was. Everything has supposedly been fixed, but I would still proceed with caution when posting those really juicy bits of information. Someone out there probably knows it’s you.